From ba931c0855ae41382b93e02f30565911912edad5 Mon Sep 17 00:00:00 2001
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Sun, 29 Jun 2008 17:58:16 +0000
Subject: [PATCH] Add a new priv 'PRIV_SCHED_CPUSET' to check if manipulating
 cpusets is allowed and replace the suser() call. Do not allow it in jails.

Reviewed by:	rwatson
---
 sys/kern/kern_cpuset.c | 2 +-
 sys/sys/priv.h         | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c
index 1a2495e4c740..8c434fd79ae8 100644
--- a/sys/kern/kern_cpuset.c
+++ b/sys/kern/kern_cpuset.c
@@ -292,7 +292,7 @@ cpuset_modify(struct cpuset *set, cpuset_t *mask)
 	struct cpuset *root;
 	int error;
 
-	error = suser(curthread);
+	error = priv_check(curthread, PRIV_SCHED_CPUSET);
 	if (error)
 		return (error);
 	/*
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 0e4d1cd94dd6..70706bcde0c8 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -187,6 +187,7 @@
 #define	PRIV_SCHED_SETPOLICY	203	/* Can set scheduler policy. */
 #define	PRIV_SCHED_SET		204	/* Can set thread scheduler. */
 #define	PRIV_SCHED_SETPARAM	205	/* Can set thread scheduler params. */
+#define	PRIV_SCHED_CPUSET	206	/* Can manipulate cpusets. */
 
 /*
  * POSIX semaphore privileges.