priv: Introduce and use PRIV_VFS_REVOKE

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index bde34e7..c80a8eb 100644 (file)
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -686,6 +686,7 @@ prison_priv_check(struct ucred *cred, int priv)
        case PRIV_VFS_CHROOT:
        case PRIV_VFS_LINK:
        case PRIV_VFS_CHFLAGS_DEV:
+       case PRIV_VFS_REVOKE:
        case PRIV_VFS_MKNOD_BAD:
        case PRIV_VFS_MKNOD_WHT:
        case PRIV_VFS_MKNOD_DIR:

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index ede5d73..27b766c 100644 (file)
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -3596,7 +3596,7 @@ sys_revoke(struct revoke_args *uap)
                if (error == 0)
                        error = VOP_GETATTR(vp, &vattr);
                if (error == 0 && cred->cr_uid != vattr.va_uid)
-                       error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT);
+                       error = priv_check_cred(cred, PRIV_VFS_REVOKE, 0);
                if (error == 0 && (vp->v_type == VCHR || vp->v_type == VBLK)) {
                        if (count_udev(vp->v_umajor, vp->v_uminor) > 0)
                                error = vrevoke(vp, cred);

diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 9847ad5..6241ac4 100644 (file)
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -284,6 +284,7 @@
 #define        PRIV_VFS_MKNOD_DIR      345     /* Can mknod() to create special */
                                        /* directories for HAMMER. */
 #define        PRIV_VFS_CHMOD          346     /* Can chmod() if not owner */
+#define        PRIV_VFS_REVOKE         347     /* Can revoke() if not owner */
 
 /*
  * Virtual memory privileges.