Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in

some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project

1 files changed, 2 insertions, 7 deletions

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 3eef187c4fbe..5329c6c2df6f 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -607,13 +607,8 @@ rip_attach(struct socket *so, int proto, struct thread *td)
 
 	inp = sotoinpcb(so);
 	KASSERT(inp == NULL, ("rip_attach: inp != NULL"));
-	/*
-	 * XXXRW: Centralize privilege decision in kern_jail.c.
-	 */
-	if (jailed(td->td_ucred) && !jail_allow_raw_sockets)
-		return (EPERM);
-	error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW,
-	    SUSER_ALLOWJAIL);
+
+	error = priv_check(td, PRIV_NETINET_RAW);
 	if (error)
 		return error;
 	if (proto >= IPPROTO_MAX || proto < 0)