Add a new priv 'PRIV_SCHED_CPUSET' to check if manipulating cpusets is

allowed and replace the suser() call. Do not allow it in jails.

Reviewed by:	rwatson

sys/kern/kern_cpuset.c

@@ -292,7 +292,7 @@ cpuset_modify(struct cpuset *set, cpuset_t *mask)
 	struct cpuset *root;
 	int error;
 
-	error = suser(curthread);
+	error = priv_check(curthread, PRIV_SCHED_CPUSET);
 	if (error)
 		return (error);
 	/*

sys/sys/priv.h

@@ -187,6 +187,7 @@
 #define	PRIV_SCHED_SETPOLICY	203	/* Can set scheduler policy. */
 #define	PRIV_SCHED_SET		204	/* Can set thread scheduler. */
 #define	PRIV_SCHED_SETPARAM	205	/* Can set thread scheduler params. */
+#define	PRIV_SCHED_CPUSET	206	/* Can manipulate cpusets. */
 
 /*
  * POSIX semaphore privileges.