From 3c8574bc8a8ca35d7c39b8f957cb328fd4c7bc0d Mon Sep 17 00:00:00 2001
From: Ed Schouten <ed@FreeBSD.org>
Date: Sat, 6 Sep 2008 14:43:32 +0000
Subject: [PATCH] Make TIOCCONS use priv_check() instead of checking
 /dev/console permissions.

As discussed with Robert on IRC, checking the permissions on
/dev/console to see if we can call TIOCCONS could be unreliable. When we
run a chroot() without a devfs instance mounted inside, it won't
actually check the permissions on the device node inside the devfs
instance.

Using the already existing PRIV_TTY_CONSOLE for this seems like a better
idea.

Approved by:	rwatson
---
 sys/kern/tty.c | 43 ++++++++-----------------------------------
 1 file changed, 8 insertions(+), 35 deletions(-)

diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index c0a064aca34f..bb0fb02c99f0 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -44,7 +44,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/limits.h>
 #include <sys/malloc.h>
 #include <sys/mount.h>
-#include <sys/namei.h>
 #include <sys/poll.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
@@ -60,7 +59,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/ttydefaults.h>
 #undef TTYDEFCHARS
 #include <sys/ucred.h>
-#include <sys/vnode.h>
 
 #include <machine/stdarg.h>
 
@@ -1513,46 +1511,21 @@ tty_generic_ioctl(struct tty *tp, u_long cmd, void *data, struct thread *td)
 	case TIOCCONS:
 		/* Set terminal as console TTY. */
 		if (*(int *)data) {
-			struct nameidata nd;
-			int vfslocked;
+			error = priv_check(td, PRIV_TTY_CONSOLE);
+			if (error)
+				return (error);
 
 			/*
-			 * XXX: TTY won't slip away, but constty would
-			 * really need to be locked!
+			 * XXX: constty should really need to be locked!
+			 * XXX: allow disconnected constty's to be stolen!
 			 */
-			tty_unlock(tp);
 
-			if (constty == tp) {
-				tty_lock(tp);
+			if (constty == tp)
 				return (0);
-			}
-			if (constty != NULL) {
-				tty_lock(tp);
+			if (constty != NULL)
 				return (EBUSY);
-			}
-			/* XXX: allow disconnected constty's to be stolen! */
-
-			/*
-			 * Only allow this to work when the user can
-			 * open /dev/console.
-			 */
-			NDINIT(&nd, LOOKUP, FOLLOW|LOCKLEAF|MPSAFE,
-			    UIO_SYSSPACE, "/dev/console", td);
-			if ((error = namei(&nd)) != 0) {
-				tty_lock(tp);
-				return (error);
-			}
-			vfslocked = NDHASGIANT(&nd);
-			NDFREE(&nd, NDF_ONLY_PNBUF);
-
-			error = VOP_ACCESS(nd.ni_vp, VREAD, td->td_ucred, td);
-			vput(nd.ni_vp);
-			VFS_UNLOCK_GIANT(vfslocked);
-			if (error) {
-				tty_lock(tp);
-				return (error);
-			}
 
+			tty_unlock(tp);
 			constty_set(tp);
 			tty_lock(tp);
 		} else if (constty == tp) {