diff options
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_acl.c | 12 | ||||
-rw-r--r-- | sys/kern/kern_exec.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_ktrace.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_prot.c | 42 | ||||
-rw-r--r-- | sys/kern/kern_resource.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_sysctl.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_xxx.c | 2 | ||||
-rw-r--r-- | sys/kern/subr_acl_posix1e.c | 12 | ||||
-rw-r--r-- | sys/kern/vfs_acl.c | 12 | ||||
-rw-r--r-- | sys/kern/vfs_extattr.c | 10 | ||||
-rw-r--r-- | sys/kern/vfs_subr.c | 12 | ||||
-rw-r--r-- | sys/kern/vfs_syscalls.c | 10 |
12 files changed, 60 insertions, 60 deletions
diff --git a/sys/kern/kern_acl.c b/sys/kern/kern_acl.c index 01e5e3ba..7beca5c 100644 --- a/sys/kern/kern_acl.c +++ b/sys/kern/kern_acl.c @@ -92,7 +92,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, * a DAC entry that matches but has failed to allow access. */ #ifndef CAPABILITIES - if (suser_cred(cred, PRISON_ROOT) == 0) + if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) cap_granted = VALLPERM; else cap_granted = 0; @@ -101,24 +101,24 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (type == VDIR) { if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_READ_SEARCH, PRISON_ROOT)) + CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_EXECUTE, PRISON_ROOT)) + CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } if ((acc_mode & VREAD) && !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, - PRISON_ROOT)) + SUSER_ALLOWJAIL)) cap_granted |= VREAD; if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && - !cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) cap_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER, - PRISON_ROOT)) + SUSER_ALLOWJAIL)) cap_granted |= VADMIN; #endif /* CAPABILITIES */ diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 3f99b8d..7357468 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -536,7 +536,7 @@ interpret: */ setsugid(p); #ifdef KTRACE - if (p->p_tracevp != NULL && suser_cred(oldcred, PRISON_ROOT)) { + if (p->p_tracevp != NULL && suser_cred(oldcred, SUSER_ALLOWJAIL)) { mtx_lock(&ktrace_mtx); p->p_traceflag = 0; tracevp = p->p_tracevp; diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 694634a..98c0872 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -895,7 +895,7 @@ ktrcanset(td, targetp) PROC_LOCK_ASSERT(targetp, MA_OWNED); if (targetp->p_traceflag & KTRFAC_ROOT && - suser_cred(td->td_ucred, PRISON_ROOT)) + suser_cred(td->td_ucred, SUSER_ALLOWJAIL)) return (0); if (p_candebug(td, targetp) != 0) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 221a84c..2a0aafb 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -524,7 +524,7 @@ setuid(struct thread *td, struct setuid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ #endif - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); uifree(uip); crfree(newcred); @@ -544,7 +544,7 @@ setuid(struct thread *td, struct setuid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ uid == oldcred->cr_uid || #endif - suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ + suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ #endif { /* @@ -606,7 +606,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) oldcred = p->p_ucred; if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); uifree(euip); crfree(newcred); @@ -668,7 +668,7 @@ setgid(struct thread *td, struct setgid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ #endif - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); @@ -684,7 +684,7 @@ setgid(struct thread *td, struct setgid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ gid == oldcred->cr_groups[0] || #endif - suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ + suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ #endif { /* @@ -743,7 +743,7 @@ setegid(struct thread *td, struct setegid_args *uap) oldcred = p->p_ucred; if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); @@ -789,7 +789,7 @@ setgroups(struct thread *td, struct setgroups_args *uap) newcred = crget(); PROC_LOCK(p); oldcred = p->p_ucred; - error = suser_cred(oldcred, PRISON_ROOT); + error = suser_cred(oldcred, SUSER_ALLOWJAIL); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -853,7 +853,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap) ruid != oldcred->cr_svuid) || (euid != (uid_t)-1 && euid != oldcred->cr_uid && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); uifree(ruip); uifree(euip); @@ -909,7 +909,7 @@ setregid(register struct thread *td, struct setregid_args *uap) rgid != oldcred->cr_svgid) || (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); @@ -977,7 +977,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap) (suid != (uid_t)-1 && suid != oldcred->cr_ruid && suid != oldcred->cr_svuid && suid != oldcred->cr_uid)) && - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); uifree(ruip); uifree(euip); @@ -1045,7 +1045,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap) (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && sgid != oldcred->cr_svgid && sgid != oldcred->cr_groups[0])) && - (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); @@ -1233,7 +1233,7 @@ suser_cred(struct ucred *cred, int flag) return (EPERM); if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0) return (EPERM); - if (jailed(cred) && !(flag & PRISON_ROOT)) + if (jailed(cred) && !(flag & SUSER_ALLOWJAIL)) return (EPERM); return (0); } @@ -1324,7 +1324,7 @@ cr_seeotheruids(struct ucred *u1, struct ucred *u2) { if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { - if (suser_cred(u1, PRISON_ROOT) != 0) + if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) return (ESRCH); } return (0); @@ -1363,7 +1363,7 @@ cr_seeothergids(struct ucred *u1, struct ucred *u2) break; } if (!match) { - if (suser_cred(u1, PRISON_ROOT) != 0) + if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) return (ESRCH); } } @@ -1480,7 +1480,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) break; default: /* Not permitted without privilege. */ - error = suser_cred(cred, PRISON_ROOT); + error = suser_cred(cred, SUSER_ALLOWJAIL); if (error) return (error); } @@ -1495,7 +1495,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) cred->cr_uid != proc->p_ucred->cr_ruid && cred->cr_uid != proc->p_ucred->cr_svuid) { /* Not permitted without privilege. */ - error = suser_cred(cred, PRISON_ROOT); + error = suser_cred(cred, SUSER_ALLOWJAIL); if (error) return (error); } @@ -1564,11 +1564,11 @@ p_cansched(struct thread *td, struct proc *p) return (0); if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) return (0); - if (suser_cred(td->td_ucred, PRISON_ROOT) == 0) + if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) return (0); #ifdef CAPABILITIES - if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT)) + if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL)) return (0); #endif @@ -1607,7 +1607,7 @@ p_candebug(struct thread *td, struct proc *p) KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (!unprivileged_proc_debug) { - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) return (error); } @@ -1659,7 +1659,7 @@ p_candebug(struct thread *td, struct proc *p) * require CAP_SYS_PTRACE. */ if (!grpsubset || !uidsubset || credentialchanged) { - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) return (error); } @@ -1927,7 +1927,7 @@ setlogin(struct thread *td, struct setlogin_args *uap) int error; char logintmp[MAXLOGNAME]; - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index 189a95a..0398b75 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -573,7 +573,7 @@ kern_setrlimit(td, which, limp) alimp = &oldlim->pl_rlimit[which]; if (limp->rlim_cur > alimp->rlim_max || limp->rlim_max > alimp->rlim_max) - if ((error = suser_cred(td->td_ucred, PRISON_ROOT))) { + if ((error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL))) { PROC_UNLOCK(p); lim_free(newlim); return (error); diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index 39214de..d407b24 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1196,7 +1196,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS) int flags; if (oid->oid_kind & CTLFLAG_PRISON) - flags = PRISON_ROOT; + flags = SUSER_ALLOWJAIL; else flags = 0; error = suser_cred(req->td->td_ucred, flags); diff --git a/sys/kern/kern_xxx.c b/sys/kern/kern_xxx.c index f52dd98..6840e64 100644 --- a/sys/kern/kern_xxx.c +++ b/sys/kern/kern_xxx.c @@ -95,7 +95,7 @@ osethostname(td, uap) name[0] = CTL_KERN; name[1] = KERN_HOSTNAME; mtx_lock(&Giant); - if ((error = suser_cred(td->td_ucred, PRISON_ROOT)) == 0) { + if ((error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL)) == 0) { error = userland_sysctl(td, name, 2, 0, 0, 0, uap->hostname, uap->len, 0); } diff --git a/sys/kern/subr_acl_posix1e.c b/sys/kern/subr_acl_posix1e.c index 01e5e3ba..7beca5c 100644 --- a/sys/kern/subr_acl_posix1e.c +++ b/sys/kern/subr_acl_posix1e.c @@ -92,7 +92,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, * a DAC entry that matches but has failed to allow access. */ #ifndef CAPABILITIES - if (suser_cred(cred, PRISON_ROOT) == 0) + if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) cap_granted = VALLPERM; else cap_granted = 0; @@ -101,24 +101,24 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (type == VDIR) { if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_READ_SEARCH, PRISON_ROOT)) + CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_EXECUTE, PRISON_ROOT)) + CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } if ((acc_mode & VREAD) && !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, - PRISON_ROOT)) + SUSER_ALLOWJAIL)) cap_granted |= VREAD; if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && - !cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) cap_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER, - PRISON_ROOT)) + SUSER_ALLOWJAIL)) cap_granted |= VADMIN; #endif /* CAPABILITIES */ diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c index 01e5e3ba..7beca5c 100644 --- a/sys/kern/vfs_acl.c +++ b/sys/kern/vfs_acl.c @@ -92,7 +92,7 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, * a DAC entry that matches but has failed to allow access. */ #ifndef CAPABILITIES - if (suser_cred(cred, PRISON_ROOT) == 0) + if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) cap_granted = VALLPERM; else cap_granted = 0; @@ -101,24 +101,24 @@ vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, if (type == VDIR) { if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_READ_SEARCH, PRISON_ROOT)) + CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_EXECUTE, PRISON_ROOT)) + CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } if ((acc_mode & VREAD) && !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, - PRISON_ROOT)) + SUSER_ALLOWJAIL)) cap_granted |= VREAD; if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && - !cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) cap_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER, - PRISON_ROOT)) + SUSER_ALLOWJAIL)) cap_granted |= VADMIN; #endif /* CAPABILITIES */ diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index c22b194..38d6de6 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -812,7 +812,7 @@ chroot(td, uap) int error; struct nameidata nd; - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->path, td); @@ -1170,7 +1170,7 @@ kern_mknod(struct thread *td, char *path, enum uio_seg pathseg, int mode, error = suser(td); break; default: - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); break; } if (error) @@ -1365,7 +1365,7 @@ can_hardlink(struct vnode *vp, struct thread *td, struct ucred *cred) struct vattr va; int error; - if (suser_cred(cred, PRISON_ROOT) == 0) + if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) return (0); if (!hardlink_check_uid && !hardlink_check_gid) @@ -2300,7 +2300,7 @@ setfflags(td, vp, flags) * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) return (error); } @@ -3727,7 +3727,7 @@ revoke(td, uap) } VOP_UNLOCK(vp, 0, td); if (td->td_ucred->cr_uid != vattr.va_uid) { - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) goto out; } diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index ca5ee2f..846ae76 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -3663,7 +3663,7 @@ vaccess(type, file_mode, file_uid, file_gid, acc_mode, cred, privused) return (0); privcheck: - if (!suser_cred(cred, PRISON_ROOT)) { + if (!suser_cred(cred, SUSER_ALLOWJAIL)) { /* XXX audit: privilege used */ if (privused != NULL) *privused = 1; @@ -3686,24 +3686,24 @@ privcheck: * VEXEC requests, instead of CAP_DAC_EXECUTE. */ if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !cap_check(cred, NULL, CAP_DAC_EXECUTE, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) cap_granted |= VEXEC; } if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) && - !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) cap_granted |= VREAD; if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) && - !cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) cap_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) && - !cap_check(cred, NULL, CAP_FOWNER, PRISON_ROOT)) + !cap_check(cred, NULL, CAP_FOWNER, SUSER_ALLOWJAIL)) cap_granted |= VADMIN; if ((acc_mode & (cap_granted | dac_granted)) == acc_mode) { diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index c22b194..38d6de6 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -812,7 +812,7 @@ chroot(td, uap) int error; struct nameidata nd; - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->path, td); @@ -1170,7 +1170,7 @@ kern_mknod(struct thread *td, char *path, enum uio_seg pathseg, int mode, error = suser(td); break; default: - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); break; } if (error) @@ -1365,7 +1365,7 @@ can_hardlink(struct vnode *vp, struct thread *td, struct ucred *cred) struct vattr va; int error; - if (suser_cred(cred, PRISON_ROOT) == 0) + if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) return (0); if (!hardlink_check_uid && !hardlink_check_gid) @@ -2300,7 +2300,7 @@ setfflags(td, vp, flags) * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) return (error); } @@ -3727,7 +3727,7 @@ revoke(td, uap) } VOP_UNLOCK(vp, 0, td); if (td->td_ucred->cr_uid != vattr.va_uid) { - error = suser_cred(td->td_ucred, PRISON_ROOT); + error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); if (error) goto out; } |