priv: Use PRIV_NETINET_RESERVEDPORT

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 4fd7e31..203a430 100644 (file)
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -699,6 +699,13 @@ prison_priv_check(struct ucred *cred, int priv)
                return (0);
 
                /*
+                * Allow jailed root to bind reserved ports.
+                */
+       case PRIV_NETINET_RESERVEDPORT:
+               return (0);
+
+
+               /*
                 * Conditionally allow creating raw sockets in jail.
                 */
        case PRIV_NETINET_RAW:

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index d937d79..46da87e 100644 (file)
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -291,7 +291,7 @@ in_pcbbind(struct inpcb *inp, struct sockaddr *nam, struct thread *td)
 
                        /* GROSS */
                        if (ntohs(lport) < IPPORT_RESERVED &&
-                           cred && priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))
+                           cred && priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0))
                                return (EACCES);
                        if (so->so_cred->cr_uid != 0 &&
                            !IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) {
@@ -349,7 +349,7 @@ in_pcbbind(struct inpcb *inp, struct sockaddr *nam, struct thread *td)
                        lastport = &pcbinfo->lasthi;
                } else if (inp->inp_flags & INP_LOWPORT) {
                        if (cred &&
-                           (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))) {
+                           (error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0))) {
                                inp->inp_laddr.s_addr = INADDR_ANY;
                                return (error);
                        }