From: Michael Neumann <mneumann@ntecs.de>
Date: Thu, 18 Jun 2009 09:56:32 +0000 (+0200)
Subject: priv: Narrow down privileges
X-Git-Tag: v2.3.2~105^2~8
X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/3b1d99e9e0776d7d1f5dc595b7ede7b7f5ab0735

priv: Narrow down privileges
---

diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
index 1f69bbb8f4..32b570674a 100644
--- a/sys/kern/kern_resource.c
+++ b/sys/kern/kern_resource.c
@@ -256,7 +256,7 @@ donice(struct proc *chgp, int n)
 		n = PRIO_MAX;
 	if (n < PRIO_MIN)
 		n = PRIO_MIN;
-	if (n < chgp->p_nice && priv_check_cred(cr, PRIV_ROOT, 0))
+	if (n < chgp->p_nice && priv_check_cred(cr, PRIV_SCHED_SETPRIORITY, 0))
 		return (EACCES);
 	chgp->p_nice = n;
 	FOREACH_LWP_IN_PROC(lp, chgp)
@@ -314,7 +314,7 @@ sys_lwp_rtprio(struct lwp_rtprio_args *uap)
 			return EPERM;
 		}
 		/* disallow setting rtprio in most cases if not superuser */
-		if (priv_check_cred(cr, PRIV_ROOT, 0)) {
+		if (priv_check_cred(cr, PRIV_SCHED_RTPRIO, 0)) {
 			/* can't set someone else's */
 			if (uap->pid) { /* XXX */
 				return EPERM;
@@ -388,7 +388,7 @@ sys_rtprio(struct rtprio_args *uap)
 		    cr->cr_ruid != p->p_ucred->cr_uid)
 		        return (EPERM);
 		/* disallow setting rtprio in most cases if not superuser */
-		if (priv_check_cred(cr, PRIV_ROOT, 0)) {
+		if (priv_check_cred(cr, PRIV_SCHED_RTPRIO, 0)) {
 			/* can't set someone else's */
 			if (uap->pid)
 				return (EPERM);
diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c
index 2e87eb7b13..41b352c93c 100644
--- a/sys/kern/kern_shutdown.c
+++ b/sys/kern/kern_shutdown.c
@@ -186,7 +186,7 @@ sys_reboot(struct reboot_args *uap)
 	struct thread *td = curthread;
 	int error;
 
-	if ((error = priv_check(td, PRIV_ROOT)))
+	if ((error = priv_check(td, PRIV_REBOOT)))
 		return (error);
 
 	boot(uap->opt);
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 0838c6b65a..72524c4399 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -536,7 +536,7 @@ sysctl_sysctl_debug(SYSCTL_HANDLER_ARGS)
 {
 	int error;
 
-	error = priv_check(req->td, PRIV_ROOT);
+	error = priv_check(req->td, PRIV_SYSCTL_DEBUG);
 	if (error)
 		return error;
 	sysctl_sysctl_debug_dump_node(&sysctl__children, 0);