Some suser() calls still exist in kernel (4493976)

The interfaces listed below have code paths which check for the sys_suser_compat privilege instead of the proper privilege.

• LOG_FLUSH, SVCPOOL_CREATE opcodes for NFSSYS().

• Creation/deletion of a ufs file system snapshot via the _FIOSNAPSHOTCREATE and _FIOSNAPSHOTDELETE ioctl commands.

• Many of the power-management ioctls. These are nominally used by /usr/sbin/pmconfig, and include the following ioctls:

  • PM_SET_THRESHOLD

  • PM_SET_CUR_PWRPM_ADD_DEP

  • PM_REM_DEVICES

  • PM_SET_DEVICE_THRESHOLD

  • PM_SET_SYSTEM_THRESHOLD

  • PM_START_PM

  • PM_STOP_PM

  • PM_RESET_PM

  • PM_DIRECT_PM

  • PM_RESET_DEVICE_THRESHOLD

  • PM_SET_COMPONENT_THRESHOLDS

  • PM_IDLE_DOWN

  • PM_ADD_DEPENDENT

  • PM_ADD_DEPENDENT_PROPERTY

• The PPMIOCSET ioctl for power management.

Workaround: These interfaces may need to be invoked with the PRIV_SUSER_COMPAT privilege. This can be accomplished via profiles by using an exec_attr entry specifying this privilege.