From d4a89085d1753b1216880f8196189ee5e15cc662 Mon Sep 17 00:00:00 2001
From: Michael Neumann <mneumann@ntecs.de>
Date: Thu, 18 Jun 2009 12:01:19 +0200
Subject: [PATCH] priv: Narrow down privileges

Leave PRISON_ROOT for now despite having a separate privilege for
the prison case. PRISON_ROOT will be removed in a later step, once
all jail privileges have been determined.
---
 sys/kern/kern_sysctl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 72524c4399..9a76e927e6 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1180,7 +1180,9 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
 
 	/* Most likely only root can write */
 	if (!(oid->oid_kind & CTLFLAG_ANYBODY) && req->newptr && p &&
-	    (error = priv_check_cred(p->p_ucred, PRIV_ROOT,
+	    (error = priv_check_cred(p->p_ucred,
+	     (oid->oid_kind & CTLFLAG_PRISON) ? PRIV_SYSCTL_WRITEJAIL :
+	                                        PRIV_SYSCTL_WRITE,
 	     (oid->oid_kind & CTLFLAG_PRISON) ? PRISON_ROOT : 0)))
 		return (error);
 
-- 
2.41.0