o Move suser() calls in kern/ to using suser_xxx() with an explicit

credential selection, rather than reference via a thread or process
  pointer.  This is part of a gradual migration to suser() accepting
  a struct ucred instead of a struct proc, simplifying the reference
  and locking semantics of suser().

Obtained from:	TrustedBSD Project

sys/kern/kern_acct.c

@@ -123,7 +123,7 @@ acct(td, uap)
 	if (td != curthread)
 		panic("acct");		/* XXXKSE DIAGNOSTIC */
 	/* Make sure that the caller is root. */
-	error = suser(td->td_proc);
+	error = suser_xxx(td->td_proc->p_ucred, NULL, 0);
 	if (error)
 		goto done2;
 

sys/kern/kern_jail.c

@@ -83,7 +83,7 @@ jail(td, uap)
 	pr->pr_ip = j.ip_number;
 	PROC_LOCK(p);
 	/* Implicitly fail if already in jail.  */
-	error = suser(p);
+	error = suser_xxx(p->p_ucred, NULL, 0);
 	if (error)
 		goto badcred;
 	oldcred = p->p_ucred;

sys/kern/kern_linker.c

@@ -697,7 +697,7 @@ kldload(struct thread* td, struct kldload_args* uap)
 
     mtx_lock(&Giant);
 
-    if ((error = suser_td(td)) != 0)
+    if ((error = suser_xxx(td->td_proc->p_ucred, NULL, 0)) != 0)
 	goto out;
 
     pathname = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -743,7 +743,7 @@ kldunload(struct thread* td, struct kldunload_args* uap)
 
     mtx_lock(&Giant);
 
-    if ((error = suser_td(td)) != 0)
+    if ((error = suser_xxx(td->td_proc->p_ucred, NULL, 0)) != 0)
 	goto out;
 
     lf = linker_find_file_by_id(SCARG(uap, fileid));

sys/kern/kern_resource.c

@@ -235,7 +235,8 @@ donice(curp, chgp, n)
 		n = PRIO_MAX;
 	if (n < PRIO_MIN)
 		n = PRIO_MIN;
-	if (n < chgp->p_ksegrp.kg_nice /* XXXKSE */  && suser(curp))
+	if (n < chgp->p_ksegrp.kg_nice /* XXXKSE */  &&
+	    suser_xxx(curp->p_ucred, NULL, 0))
 		return (EACCES);
 	chgp->p_ksegrp.kg_nice /* XXXKSE */  = n;
 	(void)resetpriority(&chgp->p_ksegrp); /* XXXKSE */
@@ -297,7 +298,7 @@ rtprio(td, uap)
 		    (error = copyin(uap->rtp, &rtp, sizeof(struct rtprio))))
 			break;
 		/* disallow setting rtprio in most cases if not superuser */
-		if (suser(curp) != 0) {
+		if (suser_xxx(curp->p_ucred, NULL, 0) != 0) {
 			/* can't set someone else's */
 			if (uap->pid) {
 				error = EPERM;

sys/kern/sysv_ipc.c

@@ -94,7 +94,8 @@ ipcperm(td, perm, mode)
 	/* Check for user match. */
 	if (cred->cr_uid != perm->cuid && cred->cr_uid != perm->uid) {
 		if (mode & IPC_M)
-			return (suser(p) == 0 ? 0 : EPERM);
+			return (suser_xxx(p->p_ucred, NULL, 0) == 0 ? 0 :
+			    EPERM);
 		/* Check for group match. */
 		mode >>= 3;
 		if (!groupmember(perm->gid, cred) &&
@@ -105,5 +106,6 @@ ipcperm(td, perm, mode)
 
 	if (mode & IPC_M)
 		return (0);
-	return ((mode & perm->mode) == mode || suser(p) == 0 ? 0 : EACCES);
+	return ((mode & perm->mode) == mode ||
+	    suser_xxx(p->p_ucred, NULL, 0) == 0 ? 0 : EACCES);
 }

sys/kern/tty.c

@@ -822,7 +822,7 @@ ttioctl(tp, cmd, data, flag)
 			    ISSET(constty->t_state, TS_CONNECTED))
 				return (EBUSY);
 #ifndef	UCONSOLE
-			if ((error = suser(p)) != 0)
+			if ((error = suser_xxx(p->p_ucred, NULL, 0)) != 0)
 				return (error);
 #endif
 			constty = tp;
@@ -994,9 +994,9 @@ ttioctl(tp, cmd, data, flag)
 		splx(s);
 		break;
 	case TIOCSTI:			/* simulate terminal input */
-		if ((flag & FREAD) == 0 && suser(p))
+		if ((flag & FREAD) == 0 && suser_xxx(p->p_ucred, NULL, 0))
 			return (EPERM);
-		if (!isctty(p, tp) && suser(p))
+		if (!isctty(p, tp) && suser_xxx(p->p_ucred, NULL, 0))
 			return (EACCES);
 		s = spltty();
 		(*linesw[tp->t_line].l_rint)(*(u_char *)data, tp);
@@ -1044,7 +1044,7 @@ ttioctl(tp, cmd, data, flag)
 		}
 		break;
 	case TIOCSDRAINWAIT:
-		error = suser(p);
+		error = suser_xxx(p->p_ucred, NULL, 0);
 		if (error)
 			return (error);
 		tp->t_timeout = *(int *)data * hz;

sys/kern/tty_pty.c

@@ -185,7 +185,7 @@ ptsopen(dev, flag, devtype, td)
 		tp->t_lflag = TTYDEF_LFLAG;
 		tp->t_cflag = TTYDEF_CFLAG;
 		tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED;
-	} else if (tp->t_state & TS_XCLUDE && suser(p)) {
+	} else if (tp->t_state & TS_XCLUDE && suser_xxx(p->p_ucred, NULL, 0)) {
 		return (EBUSY);
 	} else if (pti->pt_prison != p->p_ucred->cr_prison) {
 		return (EBUSY);