From owner-trustedbsd-cvs@FreeBSD.ORG  Mon Oct 30 15:17:42 2006
Return-Path: <owner-trustedbsd-cvs@FreeBSD.ORG>
X-Original-To: trustedbsd-cvs@freebsd.org
Delivered-To: trustedbsd-cvs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0C34C16A415
	for <trustedbsd-cvs@freebsd.org>; Mon, 30 Oct 2006 15:17:42 +0000 (UTC)
	(envelope-from owner-perforce@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C012543D53
	for <trustedbsd-cvs@freebsd.org>; Mon, 30 Oct 2006 15:17:40 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119])
	by cyrus.watson.org (Postfix) with ESMTP id 0B79346C56
	for <trustedbsd-cvs@trustedbsd.org>;
	Mon, 30 Oct 2006 10:17:39 -0500 (EST)
Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18])
	by mx2.freebsd.org (Postfix) with ESMTP id 8F83A56523;
	Mon, 30 Oct 2006 15:17:20 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 7C44E16A40F; Mon, 30 Oct 2006 15:17:20 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4DE6116A47E
	for <perforce@freebsd.org>; Mon, 30 Oct 2006 15:17:20 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3086A43D46
	for <perforce@freebsd.org>; Mon, 30 Oct 2006 15:17:17 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k9UFHHPh051774
	for <perforce@freebsd.org>; Mon, 30 Oct 2006 15:17:17 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k9UFHGLj051771
	for perforce@freebsd.org; Mon, 30 Oct 2006 15:17:16 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Mon, 30 Oct 2006 15:17:16 GMT
Message-Id: <200610301517.k9UFHGLj051771@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 108753 for review
X-BeenThere: trustedbsd-cvs@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD CVS and Perforce commit message list
	<trustedbsd-cvs.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>, 
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-cvs>
List-Post: <mailto:trustedbsd-cvs@FreeBSD.org>
List-Help: <mailto:trustedbsd-cvs-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>,
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2006 15:17:42 -0000

http://perforce.freebsd.org/chv.cgi?CH=108753

Change 108753 by rwatson@rwatson_zoo on 2006/10/30 15:17:04

	Move from enum priv priv to int priv.  This reduces name space
	pollution and allows mac_framework.h not to have a nested include
	of priv.h.  It also makes it easier to avoid ABI disruption by
	hard-coding privilege numbers and leaving gaps so sort order isn't
	disrupted.

Affected files ...

.. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#11 edit
.. //depot/projects/trustedbsd/priv/sys/kern/kern_priv.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/security/mac/mac_framework.h#4 edit
.. //depot/projects/trustedbsd/priv/sys/security/mac/mac_priv.c#2 edit
.. //depot/projects/trustedbsd/priv/sys/security/mac_privs/mac_privs.c#2 edit
.. //depot/projects/trustedbsd/priv/sys/security/mac_privs/mac_privs.h#2 edit
.. //depot/projects/trustedbsd/priv/sys/sys/jail.h#3 edit
.. //depot/projects/trustedbsd/priv/sys/sys/mac_policy.h#5 edit
.. //depot/projects/trustedbsd/priv/sys/sys/priv.h#8 edit

Differences ...

==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#11 (text+ko) ====

@@ -529,7 +529,7 @@
  * have a specific list of accepted privileges; the rest are denied.
  */
 int
-prison_priv_check(struct ucred *cred, enum priv priv)
+prison_priv_check(struct ucred *cred, int priv)
 {
 
 	if (!(jailed(cred)))

==== //depot/projects/trustedbsd/priv/sys/kern/kern_priv.c#3 (text+ko) ====

@@ -34,12 +34,13 @@
 #include <sys/param.h>
 #include <sys/jail.h>
 #include <sys/kernel.h>
-#include <sys/mac.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sysctl.h>
 #include <sys/systm.h>
 
+#include <security/mac/mac_framework.h>
+
 /*
  * `suser_enabled' (which can be set by the security.bsd.suser_enabled
  * sysctl) determines whether the system 'super-user' policy is in effect.
@@ -62,7 +63,7 @@
  * only a few to grant it.
  */
 int
-priv_check_cred(struct ucred *cred, enum priv priv, int flags)
+priv_check_cred(struct ucred *cred, int priv, int flags)
 {
 	int error;
 
@@ -123,7 +124,7 @@
 }
 
 int
-priv_check(struct thread *td, enum priv priv)
+priv_check(struct thread *td, int priv)
 {
 
 	KASSERT(td == curthread, ("priv_check: td != curthread"));

==== //depot/projects/trustedbsd/priv/sys/security/mac/mac_framework.h#4 (text+ko) ====

@@ -51,7 +51,6 @@
 #endif
 
 #include <sys/_label.h>
-#include <sys/priv.h>		/* XXXRW: Until name space issues resolved. */
 
 struct bpf_d;
 struct cdev;
@@ -408,8 +407,8 @@
 	    struct label *label);
 void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
 void	mac_associate_nfsd_label(struct ucred *cred);
-int	mac_priv_check(struct ucred *cred, enum priv priv);
-int	mac_priv_grant(struct ucred *cred, enum priv priv);
+int	mac_priv_check(struct ucred *cred, int priv);
+int	mac_priv_grant(struct ucred *cred, int priv);
 
 /*
  * Calls to help various file systems implement labeling functionality

==== //depot/projects/trustedbsd/priv/sys/security/mac/mac_priv.c#2 (text+ko) ====

@@ -38,13 +38,13 @@
 #include <sys/param.h>
 #include <sys/priv.h>
 #include <sys/module.h>
-#include <sys/mac.h>
 #include <sys/mac_policy.h>
 
+#include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
 int
-mac_priv_check(struct ucred *cred, enum priv priv)
+mac_priv_check(struct ucred *cred, int priv)
 {
 	int error;
 
@@ -54,7 +54,7 @@
 }
 
 int
-mac_priv_grant(struct ucred *cred, enum priv priv)
+mac_priv_grant(struct ucred *cred, int priv)
 {
 	int error;
 

==== //depot/projects/trustedbsd/priv/sys/security/mac_privs/mac_privs.c#2 (text+ko) ====

@@ -60,7 +60,7 @@
  */
 struct rule {
 	uid_t			r_uid;
-	enum priv		r_priv;
+	int			r_priv;
 	TAILQ_ENTRY(rule)	r_list;
 };
 
@@ -127,7 +127,7 @@
  * Add a rule matching the uid and privilege.
  */
 static int
-mac_privs_rule_add(uid_t uid, enum priv priv)
+mac_privs_rule_add(uid_t uid, int priv)
 {
 	struct rule *new_rule, *rule;
 
@@ -163,7 +163,7 @@
  * Delete a rule matching the uid and privilege.
  */
 static int
-mac_privs_rule_delete(uid_t uid, enum priv priv)
+mac_privs_rule_delete(uid_t uid, int priv)
 {
 	struct rule *rule;
 
@@ -252,7 +252,7 @@
  * match a specific or wildcard rule (privilege of -1 in the rule).
  */
 static int
-mac_privs_priv_grant(struct ucred *cred, enum priv priv)
+mac_privs_priv_grant(struct ucred *cred, int priv)
 {
 	struct rule *rule;
 	int error;

==== //depot/projects/trustedbsd/priv/sys/security/mac_privs/mac_privs.h#2 (text+ko) ====

@@ -48,8 +48,8 @@
  */
 #define	MAC_PRIVS_ADD		1
 struct mac_privs_add_args {
-	uid_t		uid;
-	enum priv	priv;
+	uid_t	uid;
+	int	priv;
 };
 
 /*
@@ -57,8 +57,8 @@
  */
 #define	MAC_PRIVS_DELETE	2
 struct mac_privs_delete_args {
-	uid_t		uid;
-	enum priv	priv;
+	uid_t	uid;
+	int	priv;
 };
 
 /*
@@ -80,8 +80,8 @@
  */
 #define	MAC_PRIVS_LIST		4
 struct mac_privs_list_entry {
-	uid_t		uid;
-	enum priv	priv;
+	uid_t	uid;
+	int	priv;
 };
 
 struct mac_privs_list_args {

==== //depot/projects/trustedbsd/priv/sys/sys/jail.h#3 (text+ko) ====

@@ -111,7 +111,7 @@
 void prison_hold(struct prison *pr);
 int prison_if(struct ucred *cred, struct sockaddr *sa);
 int prison_ip(struct ucred *cred, int flag, u_int32_t *ip);
-int prison_priv_check(struct ucred *cred, enum priv priv);
+int prison_priv_check(struct ucred *cred, int priv);
 void prison_remote_ip(struct ucred *cred, int flags, u_int32_t *ip);
 
 #endif /* _KERNEL */

==== //depot/projects/trustedbsd/priv/sys/sys/mac_policy.h#5 (text+ko) ====

@@ -55,10 +55,12 @@
  * Operations are sorted first by general class of operation, then
  * alphabetically.
  */
+#include <sys/_label.h>
 #include <sys/acl.h>	/* XXX acl_type_t */
 
 struct acl;
 struct bpf_d;
+struct cdev;
 struct componentname;
 struct devfs_dirent;
 struct ifnet;
@@ -595,8 +597,8 @@
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *label);
 typedef void	(*mpo_associate_nfsd_label_t)(struct ucred *cred);
-typedef int	(*mpo_priv_check_t)(struct ucred *cred, enum priv priv);
-typedef int	(*mpo_priv_grant_t)(struct ucred *cred, enum priv priv);
+typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
+typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
 struct mac_policy_ops {
 	/*

==== //depot/projects/trustedbsd/priv/sys/sys/priv.h#8 (text+ko) ====

@@ -48,251 +48,387 @@
  * When adding a new privilege, remember to determine if it's appropriate for
  * use in jail, and update the privilege switch in kern_jail.c as necessary.
  */
-enum priv {
-	/* Track beginning of privilege list. */
-	_PRIV_LOWEST,
+/* Track beginning of privilege list. */
+#define	_PRIV_LOWEST	0
+
+/*
+ * PRIV_ROOT is a catch-all for as yet unnamed privileges.  No new
+ * references to this privilege should be added.
+ */
+#define	PRIV_ROOT	1	/* Catch-all during development. */
+
+/*
+ * The remaining privileges typically correspond to one or a small
+ * number of specific privilege checks, and have (relatively) precise
+ * meanings.  They are loosely sorted into a set of base system
+ * privileges, such as the ability to reboot, and then loosely by
+ * subsystem, indicated by a subsystem name.
+ */
+#define	PRIV_ACCT		2	/* Manage process accounting. */
+#define	PRIV_MAXFILES		3	/* Exceed system open files limit. */
+#define	PRIV_MAXPROC		4	/* Exceed system processes limit. */
+#define	PRIV_KTRACE		5	/* Set/clear KTRFAC_ROOT on ktrace. */
+#define	PRIV_SETDUMPER		6	/* Configure dump device. */
+#define	PRIV_NFSD		7	/* Can become NFS daemon. */
+#define	PRIV_REBOOT		8	/* Can reboot system. */
+#define	PRIV_SWAPON		9	/* Can swapon(). */
+#define	PRIV_SWAPOFF		10	/* Can swapoff(). */
+#define	PRIV_MSGBUF		11	/* Can read kernel message buffer. */
+#define	PRIV_WITNESS		12	/* Can configure WITNESS. */
+#define	PRIV_IO			13	/* Can perform low-level I/O. */
+#define	PRIV_KEYBOARD		14	/* Reprogram keyboard. */
+#define	PRIV_DRIVER		15	/* Low-level driver privilege. */
+#define	PRIV_ADJTIME		16	/* Set time adjustment. */
+#define	PRIV_NTP_ADJTIME	17	/* Set NTP time adjustment. */
+#define	PRIV_CLOCK_SETTIME	18	/* Can call clock_settime. */
+#define	PRIV_SETTIMEOFDAY	19	/* Can call settimeofday. */
+#define	PRIV_SETHOSTID		20	/* Can call sethostid. */
+#define	PRIV_SETDOMAINNAME	21	/* Can call setdomainname. */
+
+/*
+ * Audit subsystem privileges.
+ */
+#define	PRIV_AUDIT_CONTROL	40	/* Can configure audit. */
+#define	PRIV_AUDIT_FAILSTOP	41	/* Can run during audit fail stop. */
+#define	PRIV_AUDIT_GETAUDIT	42	/* Can get proc audit properties. */
+#define	PRIV_AUDIT_SETAUDIT	43	/* Can set proc audit properties. */
+#define	PRIV_AUDIT_SUBMIT	44	/* Can submit an audit record. */
+
+/*
+ * Credential management privileges.
+ */
+#define	PRIV_CRED_SETUID	50	/* setuid. */
+#define	PRIV_CRED_SETEUID	51	/* seteuid to !ruid and !svuid. */
+#define	PRIV_CRED_SETGID	52	/* setgid. */
+#define	PRIV_CRED_SETEGID	53	/* setgid to !rgid and !svgid. */
+#define	PRIV_CRED_SETGROUPS	54	/* Set process additional groups. */
+#define	PRIV_CRED_SETREUID	55	/* setreuid. */
+#define	PRIV_CRED_SETREGID	56	/* setregid. */
+#define	PRIV_CRED_SETRESUID	57	/* setresuid. */
+#define	PRIV_CRED_SETRESGID	58	/* setresgid. */
+#define	PRIV_SEEOTHERGIDS	59	/* Exempt bsd.seeothergids. */
+#define	PRIV_SEEOTHERUIDS	60	/* Exempt bsd.seeotheruids. */
+
+/*
+ * Debugging privileges.
+ */
+#define	PRIV_DEBUG_DIFFCRED	80	/* Exempt debugging other users. */
+#define	PRIV_DEBUG_SUGID	81	/* Exempt debugging setuid proc. */
+#define	PRIV_DEBUG_UNPRIV	82	/* Exempt unprivileged debug limit. */
+
+/*
+ * Dtrace privileges.
+ */
+#define	PRIV_DTRACE_KERNEL	90	/* Allow use of DTrace on the kernel. */
+#define	PRIV_DTRACE_PROC	91	/* Allow attaching DTrace to process. */
+#define	PRIV_DTRACE_USER	92	/* Process may submit DTrace events. */
+
+/*
+ * Firmware privilegs.
+ */
+#define	PRIV_FIRMWARE_LOAD	100	/* Can load firmware. */
+
+/*
+ * Jail privileges.
+ */
+#define	PRIV_JAIL_ATTACH	110	/* Attach to a jail. */
+
+/*
+ * Kernel environment priveleges.
+ */
+#define	PRIV_KENV_SET		120	/* Set kernel env. variables. */
+#define	PRIV_KENV_UNSET		121	/* Unset kernel env. variables. */
+
+/*
+ * Loadable kernel module privileges.
+ */
+#define	PRIV_KLD_LOAD		130	/* Load a kernel module. */
+#define	PRIV_KLD_UNLOAD		131	/* Unload a kernel module. */
+
+/*
+ * Privileges associated with the MAC Framework and specific MAC policy
+ * modules.
+ */
+#define	PRIV_MAC_PARTITION	140	/* Privilege in mac_partition policy. */
+#define	PRIV_MAC_PRIVS		141	/* Privilege in the mac_privs policy. */
+
+/*
+ * Process-related privileges.
+ */
+#define	PRIV_PROC_LIMIT		160	/* Exceed user process limit. */
+#define	PRIV_PROC_SETLOGIN	161	/* Can call setlogin. */
+#define	PRIV_PROC_SETRLIMIT	162	/* Can raise resources limits. */
+
+/* System V IPC privileges.
+ */
+#define	PRIV_IPC_READ		170	/* Can override IPC read perm. */
+#define	PRIV_IPC_WRITE		171	/* Can override IPC write perm. */
+#define	PRIV_IPC_EXEC		172	/* Can override IPC exec perm. */
+#define	PRIV_IPC_ADMIN		173	/* Can override IPC owner-only perm. */
+#define	PRIV_IPC_MSGSIZE	174	/* Exempt IPC message queue limit. */
+
+/*
+ * POSIX message queue privileges.
+ */
+#define	PRIV_MQ_ADMIN		180	/* Can override msgq owner-only perm. */
+
+/*
+ * Performance monitoring counter privileges.
+ */
+#define	PRIV_PMC_MANAGE		190	/* Can administer PMC. */
+#define	PRIV_PMC_SYSTEM		191	/* Can allocate a system-wide PMC. */
+
+/*
+ * Scheduling privileges.
+ */
+#define	PRIV_SCHED_DIFFCRED	200	/* Exempt scheduling other users. */
+#define	PRIV_SCHED_SETPRIORITY	201	/* Can set lower nice value for proc. */
+#define	PRIV_SCHED_RTPRIO	202	/* Can set real time scheduling. */
+#define	PRIV_SCHED_SETPOLICY	203	/* Can set scheduler policy. */
+#define	PRIV_SCHED_SET		204	/* Can set thread scheduler. */
+#define	PRIV_SCHED_SETPARAM	205	/* Can set thread scheduler params. */
+
+/*
+ * POSIX semaphore privileges.
+ */
+#define	PRIV_SEM_WRITE		220	/* Can override sem write perm. */
+
+/*
+ * Signal privileges.
+ */
+#define	PRIV_SIGNAL_DIFFCRED	230	/* Exempt signalling other users. */
+#define	PRIV_SIGNAL_SUGID	231	/* Non-conserv signal setuid proc. */
+
+/*
+ * Sysctl privileges.
+ */
+#define	PRIV_SYSCTL_DEBUG	240	/* Can invoke sysctl.debug. */
+#define	PRIV_SYSCTL_WRITE	241	/* Can write sysctls. */
+#define	PRIV_SYSCTL_WRITEJAIL	242	/* Can write sysctls, jail permitted. */
+
+/*
+ * TTY privileges.
+ */
+#define	PRIV_TTY_CONSOLE	250	/* Set console to tty. */
+#define	PRIV_TTY_DRAINWAIT	251	/* Set tty drain wait time. */
+#define	PRIV_TTY_DTRWAIT	252	/* Set DTR wait on tty. */
+#define	PRIV_TTY_EXCLUSIVE	253	/* Override tty exclusive flag. */
+#define	PRIV_TTY_PRISON		254	/* Can open pts across jails. */
+#define	PRIV_TTY_STI		255	/* Simulate input on another tty. */
+#define	PRIV_TTY_SETA		256	/* Set tty termios structure. */
+
+/*
+ * UFS-specific privileges.
+ */
+#define	PRIV_UFS_EXTATTRCTL	270	/* Can configure EAs on UFS1. */
+#define	PRIV_UFS_GETQUOTA	271	/* getquota(). */
+#define	PRIV_UFS_QUOTAOFF	272	/* quotaoff(). */
+#define	PRIV_UFS_QUOTAON	273	/* quotaon(). */
+#define	PRIV_UFS_SETQUOTA	274	/* setquota(). */
+#define	PRIV_UFS_SETUSE		275	/* setuse(). */
+#define	PRIV_UFS_EXCEEDQUOTA	276	/* Exempt from quota restrictions. */
+
+/*
+ * VFS privileges.
+ */
+#define	PRIV_VFS_READ		310	/* Override vnode DAC read perm. */
+#define	PRIV_VFS_WRITE		311	/* Override vnode DAC write perm. */
+#define	PRIV_VFS_ADMIN		312	/* Override vnode DAC admin perm. */
+#define	PRIV_VFS_EXEC		313	/* Override vnode DAC exec perm. */
+#define	PRIV_VFS_LOOKUP		314	/* Override vnode DAC lookup perm. */
+#define	PRIV_VFS_BLOCKRESERVE	315	/* Can use free block reserve. */
+#define	PRIV_VFS_CHFLAGS_DEV	316	/* Can chflags() a device node. */
+#define	PRIV_VFS_CHOWN		317	/* Can set user; group to non-member. */
+#define	PRIV_VFS_CHROOT		318	/* chroot(). */
+#define	PRIV_VFS_CLEARSUGID	319	/* Don't clear sugid on change. */
+#define	PRIV_VFS_EXTATTR_SYSTEM	320	/* Operate on system EA namespace. */
+#define	PRIV_VFS_FCHROOT	321	/* fchroot(). */
+#define	PRIV_VFS_FHOPEN		322	/* Can fhopen(). */
+#define	PRIV_VFS_FHSTAT		323	/* Can fhstat(). */
+#define	PRIV_VFS_FHSTATFS	324	/* Can fhstatfs(). */
+#define	PRIV_VFS_GENERATION	325	/* stat() returns generation number. */
+#define	PRIV_VFS_GETFH		326	/* Can retrieve file handles. */
+#define	PRIV_VFS_LINK		327	/* bsd.hardlink_check_uid */
+#define	PRIV_VFS_MKNOD_BAD	328	/* Can mknod() to mark bad inodes. */
+#define	PRIV_VFS_MKNOD_DEV	329	/* Can mknod() to create dev nodes. */
+#define	PRIV_VFS_MKNOD_WHT	330	/* Can mknod() to create whiteout. */
+#define	PRIV_VFS_MOUNT		331	/* Can mount(). */
+#define	PRIV_VFS_MOUNT_OWNER	332	/* Override owner on user mounts. */
+#define	PRIV_VFS_MOUNT_EXPORTED	333	/* Can set MNT_EXPORTED on mount. */
+#define	PRIV_VFS_MOUNT_PERM	334	/* Override dev node perms at mount. */
+#define	PRIV_VFS_MOUNT_SUIDDIR	335	/* Can set MNT_SUIDDIR on mount. */
+#define	PRIV_VFS_MOUNT_NONUSER	336	/* Can perform a non-user mount. */
+#define	PRIV_VFS_SETGID		337	/* Can setgid if not in group. */
+#define	PRIV_VFS_STICKYFILE	338	/* Can set sticky bit on file. */
+#define	PRIV_VFS_SYSFLAGS	339	/* Can modify system flags. */
+#define	PRIV_VFS_UNMOUNT	340	/* Can unmount(). */
+
+/*
+ * Virtual memory privileges.
+ */
+#define	PRIV_VM_MADV_PROTECT	360	/* Can set MADV_PROTECT. */
+#define	PRIV_VM_MLOCK		361	/* Can mlock(), mlockall(). */
+#define	PRIV_VM_MUNLOCK		362	/* Can munlock(), munlockall(). */
+
+/*
+ * Device file system privileges.
+ */
+#define	PRIV_DEVFS_RULE		370	/* Can manage devfs rules. */
+#define	PRIV_DEVFS_SYMLINK	371	/* Can create symlinks in devfs. */
+
+/*
+ * Random number generator privileges.
+ */
+#define	PRIV_RANDOM_RESEED	380	/* Closing /dev/random reseeds. */
+
+/*
+ * Network stack privileges.
+ */
+#define	PRIV_NET_BRIDGE		390	/* Administer bridge. */
+#define	PRIV_NET_GRE		391	/* Administer GRE. */
+#define	PRIV_NET_PPP		392	/* Administer PPP. */
+#define	PRIV_NET_SLIP		393	/* Administer SLIP. */
+#define	PRIV_NET_BPF		394	/* Monitor BPF. */
+#define	PRIV_NET_RAW		395	/* Open raw socket. */
+#define	PRIV_NET_ROUTE		396	/* Administer routing. */
+#define	PRIV_NET_TAP		397	/* Can open tap device. */
+#define	PRIV_NET_SETIFMTU	398	/* Set interface MTU. */
+#define	PRIV_NET_SETIFFLAGS	399	/* Set interface flags. */
+#define	PRIV_NET_SETIFCAP	400	/* Set interface capabilities. */
+#define	PRIV_NET_SETIFNAME	401	/* Set interface name. */
+#define	PRIV_NET_SETIFMETRIC	402	/* Set interface metrics. */
+#define	PRIV_NET_SETIFPHYS	403	/* Set interface physical layer prop. */
+#define	PRIV_NET_SETIFMAC	404	/* Set interface MAC label. */
+#define	PRIV_NET_ADDMULTI	405	/* Add multicast addr. to ifnet. */
+#define	PRIV_NET_DELMULTI	406	/* Delete multicast addr. from ifnet. */
+#define	PRIV_NET_HWIOCTL	507	/* Issue hardware ioctl on ifnet. */
+#define	PRIV_NET_SETLLADDR	508
+#define	PRIV_NET_ADDIFGROUP	509	/* Add new interface group. */
+#define	PRIV_NET_DELIFGROUP	510	/* Delete interface group. */
+#define	PRIV_NET_IFCREATE	511	/* Create cloned interface. */
+#define	PRIV_NET_IFDESTROY	512	/* Destroy cloned interface. */
+#define	PRIV_NET_ADDIFADDR	513	/* Add protocol addr to interface. */
+#define	PRIV_NET_DELIFADDR	514	/* Delete protocol addr on interface. */
+
+/*
+ * 802.11-related privileges.
+ */
+#define	PRIV_NET80211_GETKEY	540	/* Query 802.11 keys. */
+#define	PRIV_NET80211_MANAGE	541	/* Administer 802.11. */
+
+/*
+ * AppleTalk privileges.
+ */
+#define	PRIV_NETATALK_RESERVEDPORT	550	/* Bind low port number. */
+
+/*
+ * ATM privileges.
+ */
+#define	PRIV_NETATM_CFG		560
+#define	PRIV_NETATM_ADD		561
+#define	PRIV_NETATM_DEL		562
+#define	PRIV_NETATM_SET		563
+
+/*
+ * Bluetooth privileges.
+ */
+#define	PRIV_NETBLUETOOTH_RAW	570	/* Open raw bluetooth socket. */
+
+/*
+ * Netgraph and netgraph module privileges.
+ */
+#define	PRIV_NETGRAPH_CONTROL	580	/* Open netgraph control socket. */
+#define	PRIV_NETGRAPH_TTY	581	/* Configure tty for netgraph. */
+
+/*
+ * IPv4 and IPv6 privileges.
+ */
+#define	PRIV_NETINET_RESERVEDPORT	590	/* Bind low port number. */
+#define	PRIV_NETINET_IPFW	591	/* Administer IPFW firewall. */
+#define	PRIV_NETINET_DIVERT	592	/* Open IP divert socket. */
+#define	PRIV_NETINET_PF		593	/* Administer pf firewall. */
+#define	PRIV_NETINET_DUMMYNET	594	/* Administer DUMMYNET. */
+#define	PRIV_NETINET_CARP	595	/* Administer CARP. */
+#define	PRIV_NETINET_MROUTE	596	/* Administer multicast routing. */
+#define	PRIV_NETINET_RAW	597	/* Open netinet raw socket. */
+#define	PRIV_NETINET_GETCRED	598	/* Query netinet pcb credentials. */
+#define	PRIV_NETINET_ADDRCTRL6	599	/* Administer IPv6 address scopes. */
+#define	PRIV_NETINET_ND6	600	/* Administer IPv6 neighbor disc. */
+#define	PRIV_NETINET_SCOPE6	601	/* Administer IPv6 address scopes. */
+#define	PRIV_NETINET_ALIFETIME6	602	/* Administer IPv6 address lifetimes. */
+#define	PRIV_NETINET_IPSEC	603	/* Administer IPSEC. */
+
+/*
+ * IPX/SPX privileges.
+ */
+#define	PRIV_NETIPX_RESERVEDPORT	620	/* Bind low port number. */
+#define	PRIV_NETIPX_RAW		621	/* Open netipx raw socket. */
+
+/*
+ * NCP privileges.
+ */
+#define	PRIV_NETNCP		630	/* Use another user's connection. */
 
-	/*
-	 * PRIV_ROOT is a catch-all for as yet unnamed privileges.  No new
-	 * references to this privilege should be added.
-	 */
-	PRIV_ROOT,		/* Catch-all during development. */
+/*
+ * SMB privileges.
+ */
+#define	PRIV_NETSMB		640	/* Use another user's connection. */
 
-	/*
-	 * The remaining privileges typically correspond to one or a small
-	 * number of specific privilege checks, and have (relatively) precise
-	 * meanings.  They are loosely sorted into a set of base system
-	 * privileges, such as the ability to reboot, and then loosely by
-	 * subsystem, indicated by a subsystem name.
-	 */
-	PRIV_ACCT,		/* Manage process accounting. */
-	PRIV_MAXFILES,		/* Exceed system open files limit. */
-	PRIV_MAXPROC,		/* Exceed system processes limit. */
-	PRIV_KTRACE,		/* Set/accept KTRFAC_ROOT on ktrace. */
-	PRIV_SETDUMPER,		/* Configure dump device (XXX: needs work). */
-	PRIV_NFSD,		/* Can become NFS daemon. */
-	PRIV_REBOOT,		/* Can reboot system. */
-	PRIV_SWAPON,		/* Can swapon(). */
-	PRIV_SWAPOFF,		/* Can swapoff(). */
-	PRIV_MSGBUF,		/* Can read kernel message buffer. */
-	PRIV_WITNESS,		/* Can configure WITNESS. */
-	PRIV_IO,		/* Can perform low-level I/O. */
-	PRIV_KEYBOARD,		/* Reprogram keyboard. */
-	PRIV_DRIVER,		/* Low-level driver privilege. */
-	PRIV_ADJTIME,		/* Set time adjustment. */
-	PRIV_NTP_ADJTIME,	/* Set NTP time adjustment. */
-	PRIV_CLOCK_SETTIME,	/* Can call clock_settime. */
-	PRIV_SETTIMEOFDAY,	/* Can call settimeofday. */
-	PRIV_SETHOSTID,		/* Can call sethostid. */
-	PRIV_SETDOMAINNAME,	/* Can call setdomainname. */
-	PRIV_AUDIT_CONTROL,	/* Can configure audit. */
-	PRIV_AUDIT_FAILSTOP,	/* Can run during audit fail stop. */
-	PRIV_AUDIT_GETAUDIT,	/* Can get proc audit properties. */
-	PRIV_AUDIT_SETAUDIT,	/* Can set proc audit properties. */
-	PRIV_AUDIT_SUBMIT,	/* Can submit an audit record. */
-	PRIV_CRED_SETUID,	/* setuid. */
-	PRIV_CRED_SETEUID,	/* seteuid to !ruid and !svuid. */
-	PRIV_CRED_SETGID,	/* setgid. */
-	PRIV_CRED_SETEGID,	/* setgid to !rgid and !svgid. */
-	PRIV_CRED_SETGROUPS,	/* Set process additional groups. */
-	PRIV_CRED_SETREUID,	/* setreuid. */
-	PRIV_CRED_SETREGID,	/* setregid. */
-	PRIV_CRED_SETRESUID,	/* setresuid. */
-	PRIV_CRED_SETRESGID,	/* setresgid. */
-	PRIV_SEEOTHERGIDS,	/* Exempt bsd.seeothergids. */
-	PRIV_SEEOTHERUIDS,	/* Exempt bsd.seeotheruids. */
-	PRIV_DEBUG_DIFFCRED,	/* Exempt debugging other users. */
-	PRIV_DEBUG_SUGID,	/* Exempt debugging setuid proc. */
-	PRIV_DEBUG_UNPRIV,	/* Exempt unprivileged debug limit. */
-	PRIV_DTRACE_KERNEL,	/* Allow use of DTrace on the kernel. */
-	PRIV_DTRACE_PROC,	/* Allow attaching DTrace to process. */
-	PRIV_DTRACE_USER,	/* Allow process to submit DTrace events. */
-	PRIV_FIRMWARE_LOAD,	/* Can load firmware. */
-	PRIV_JAIL_ATTACH,	/* Attach to a jail. */
-	PRIV_KENV_SET,		/* Set kernel env. variables. */
-	PRIV_KENV_UNSET,	/* Unset kernel env. variables. */
-	PRIV_KLD_LOAD,		/* Load a kernel module. */
-	PRIV_KLD_UNLOAD,	/* Unload a kernel module. */
-	PRIV_MAC_PARTITION,	/* Privilege in mac_partition policy. */
-	PRIV_MAC_PRIVS,		/* Privilege in the mac_privs policy. */
-	PRIV_PROC_LIMIT,	/* Exceed user process limit. */
-	PRIV_PROC_SETLOGIN,	/* Can call setlogin. */
-	PRIV_PROC_SETRLIMIT,	/* Can raise resources limits. */
-	PRIV_IPC_READ,		/* Can override IPC read perm. */
-	PRIV_IPC_WRITE,		/* Can override IPC write perm. */
-	PRIV_IPC_EXEC,		/* Can override IPC exec perm. */
-	PRIV_IPC_ADMIN,		/* Can override IPC owner-only perm. */
-	PRIV_IPC_MSGSIZE,	/* Exempt IPC message queue limit. */
-	PRIV_MQ_ADMIN,		/* Can override msgq owner-only perm. */
-	PRIV_PMC_MANAGE,	/* Can administer PMC. */
-	PRIV_PMC_SYSTEM,	/* Can allocate a system-wide PMC. */
-	PRIV_SCHED_DIFFCRED,	/* Exempt scheduling other users. */
-	PRIV_SCHED_SETPRIORITY,	/* Can set lower nice value for proc. */
-	PRIV_SCHED_RTPRIO,	/* Can set real time scheduling. */
-	PRIV_SCHED_SETPOLICY,	/* Can set scheduler policy. */
-	PRIV_SCHED_SET,		/* Can set thread scheduler. */
-	PRIV_SCHED_SETPARAM,	/* Can set thread scheduler params. */
-	PRIV_SEM_WRITE,		/* Can override sem write perm. */
-	PRIV_SIGNAL_DIFFCRED,	/* Exempt signalling other users. */
-	PRIV_SIGNAL_SUGID,	/* Non-conserv signal setuid proc. */
-	PRIV_SYSCTL_DEBUG,	/* Can invoke sysctl.debug. */
-	PRIV_SYSCTL_WRITE,	/* Can write sysctls. */
-	PRIV_SYSCTL_WRITEJAIL,	/* Can write sysctls, jail permitted. */
-	PRIV_TTY_CONSOLE,	/* Set console to tty. */
-	PRIV_TTY_DRAINWAIT,	/* Set tty drain wait time. */
-	PRIV_TTY_DTRWAIT,	/* Set DTR wait on tty. */
-	PRIV_TTY_EXCLUSIVE,	/* Override tty exclusive flag. */
-	PRIV_TTY_PRISON,	/* Can open pts across jails. */
-	PRIV_TTY_STI,		/* Simulate input on another tty. */
-	PRIV_TTY_SETA,		/* Set tty termios structure. */
-	PRIV_UFS_EXTATTRCTL,	/* Can configure EAs on UFS1. */
-	PRIV_UFS_GETQUOTA,	/* getquota(). */
-	PRIV_UFS_QUOTAOFF,	/* quotaoff(). */
-	PRIV_UFS_QUOTAON,	/* quotaon(). */
-	PRIV_UFS_SETQUOTA,	/* setquota(). */
-	PRIV_UFS_SETUSE,	/* setuse(). */
-	PRIV_UFS_EXCEEDQUOTA,	/* Exempt from quota restrictions. */
-	PRIV_VFS_READ,		/* Override vnode DAC read perm. */
-	PRIV_VFS_WRITE,		/* Override vnode DAC write perm. */
-	PRIV_VFS_ADMIN,		/* Override vnode DAC admin perm. */
-	PRIV_VFS_EXEC,		/* Override vnode DAC exec perm. */
-	PRIV_VFS_LOOKUP,	/* Override vnode DAC lookup perm. */
-	PRIV_VFS_BLOCKRESERVE,	/* Can use free block reserve. */
-	PRIV_VFS_CHFLAGS_DEV,	/* Can chflags() a device node. */
-	PRIV_VFS_CHOWN,		/* Can set user; group to non-member. */
-	PRIV_VFS_CHROOT,	/* chroot(). */
-	PRIV_VFS_CLEARSUGID,	/* Don't clear sugid on change. */
-	PRIV_VFS_EXTATTR_SYSTEM,	/* Operate on system EA namespace. */
-	PRIV_VFS_FCHROOT,	/* fchroot(). */
-	PRIV_VFS_FHOPEN,	/* Can fhopen(). */
-	PRIV_VFS_FHSTAT,	/* Can fhstat(). */
-	PRIV_VFS_FHSTATFS,	/* Can fhstatfs(). */
-	PRIV_VFS_GENERATION,	/* stat() returns generation number. */
-	PRIV_VFS_GETFH,		/* Can retrieve file handles. */
-	PRIV_VFS_LINK,		/* bsd.hardlink_check_uid */
-	PRIV_VFS_MKNOD_BAD,	/* Can use mknod() to mark bad inodes. */
-	PRIV_VFS_MKNOD_DEV,	/* Can use mknod() to create device nodes. */
-	PRIV_VFS_MKNOD_WHT,	/* Can use mknod() to create whiteout. */
-	PRIV_VFS_MOUNT,		/* Can mount(). */
-	PRIV_VFS_MOUNT_OWNER,	/* Override owner on user mounts. */
-	PRIV_VFS_MOUNT_EXPORTED,	/* Can set MNT_EXPORTED on mount. */
-	PRIV_VFS_MOUNT_PERM,	/* Override device node perms at mount. */
-	PRIV_VFS_MOUNT_SUIDDIR,	/* Can set MNT_SUIDDIR on mount. */
-	PRIV_VFS_MOUNT_NONUSER,	/* Can perform a non-user mount. */
-	PRIV_VFS_SETGID,	/* Can setgid if not in group. */
-	PRIV_VFS_STICKYFILE,	/* Can set sticky bit on file. */
-	PRIV_VFS_SYSFLAGS,	/* Can modify system flags. */
-	PRIV_VFS_UNMOUNT,	/* Can unmount(). */
-	PRIV_VM_MADV_PROTECT,	/* Can set MADV_PROTECT. */
-	PRIV_VM_MLOCK,		/* Can mlock(), mlockall(). */
-	PRIV_VM_MUNLOCK,	/* Can munlock(), munlockall(). */
-	PRIV_DEVFS_RULE,	/* Can manage devfs rules. */
-	PRIV_DEVFS_SYMLINK,	/* Can create symlinks in devfs. */
-	PRIV_RANDOM_RESEED,	/* Closing /dev/random reseeds. */
-	PRIV_NET_BRIDGE,	/* Administer bridge. */
-	PRIV_NET_GRE,		/* Administer GRE. */
-	PRIV_NET_PPP,		/* Administer PPP. */
-	PRIV_NET_SLIP,		/* Administer SLIP. */
-	PRIV_NET_BPF,		/* Monitor BPF. */
-	PRIV_NET_RAW,		/* Open raw socket. */
-	PRIV_NET_ROUTE,		/* Administer routing. */
-	PRIV_NET_TAP,		/* Can open tap device. */
-	PRIV_NET_SETIFMTU,	/* Set interface MTU. */
-	PRIV_NET_SETIFFLAGS,	/* Set interface flags. */
-	PRIV_NET_SETIFCAP,	/* Set interface capabilities. */
-	PRIV_NET_SETIFNAME,	/* Set interface name. */
-	PRIV_NET_SETIFMETRIC,	/* Set interface metrics. */
-	PRIV_NET_SETIFPHYS,	/* Set interface physical layer prop. */
-	PRIV_NET_SETIFMAC,	/* Set interface MAC label. */
-	PRIV_NET_ADDMULTI,	/* Add multicast addr. to ifnet. */
-	PRIV_NET_DELMULTI,	/* Delete multicast addr. from ifnet. */
-	PRIV_NET_HWIOCTL,	/* Issue hardware ioctl on ifnet. */
-	PRIV_NET_SETLLADDR,
-	PRIV_NET_ADDIFGROUP,	/* Add new interface group. */
-	PRIV_NET_DELIFGROUP,	/* Delete interface group. */
-	PRIV_NET_IFCREATE,	/* Create cloned interface. */
-	PRIV_NET_IFDESTROY,	/* Destroy cloned interface. */
-	PRIV_NET_ADDIFADDR,	/* Add protocol address to interface. */
-	PRIV_NET_DELIFADDR,	/* Delete protocol address on interface. */
-	PRIV_NET80211_GETKEY,	/* Query 802.11 keys. */
-	PRIV_NET80211_MANAGE,	/* Administer 802.11. */
-	PRIV_NETATALK_RESERVEDPORT,	/* Bind low port number. */
-	PRIV_NETATM_CFG,
-	PRIV_NETATM_ADD,
-	PRIV_NETATM_DEL,
-	PRIV_NETATM_SET,
-	PRIV_NETBLUETOOTH_RAW,		/* Open raw bluetooth socket. */
-	PRIV_NETGRAPH_CONTROL,	/* Open netgraph control socket. */
-	PRIV_NETGRAPH_TTY,	/* Configure tty for netgraph. */
-	PRIV_NETINET_RESERVEDPORT,	/* Bind low port number. */
-	PRIV_NETINET_IPFW,	/* Administer IPFW firewall. */
-	PRIV_NETINET_DIVERT,	/* Open IP divert socket. */
-	PRIV_NETINET_PF,	/* Administer pf firewall. */
-	PRIV_NETINET_DUMMYNET,	/* Administer DUMMYNET. */
-	PRIV_NETINET_CARP,	/* Administer CARP. */
-	PRIV_NETINET_MROUTE,	/* Administer multicast routing. */
-	PRIV_NETINET_RAW,	/* Open netinet raw socket. */
-	PRIV_NETINET_GETCRED,	/* Query netinet pcb credentials. */
-	PRIV_NETINET_ADDRCTRL6,	/* Administer IPv6 address scopes. */
-	PRIV_NETINET_ND6,	/* Administer IPv6 neighbor disc. */
-	PRIV_NETINET_SCOPE6,	/* Administer IPv6 address scopes. */
-	PRIV_NETINET_ALIFETIME6,	/* Administer IPv6 address lifetimes. */
-	PRIV_NETINET_IPSEC,	/* Administer IPSEC. */
-	PRIV_NETIPX_RESERVEDPORT,	/* Bind low port number. */
-	PRIV_NETIPX_RAW,	/* Open netipx raw socket. */
-	PRIV_NETNCP,	/* Allow use of connection owned by another user. */
-	PRIV_NETSMB,	/* Allow use of connection owned by another user. */
-	PRIV_VM86_INTCALL,	/* Allow invoking vm86 int handlers. */
+/*
+ * VM86 privileges.
+ */
+#define	PRIV_VM86_INTCALL	650/* Allow invoking vm86 int handlers. */
 
-	/*
-	 * Set of reserved privilege values, which will be allocated to code
-	 * as needed, in order to avoid renumbering later privileges due to
-	 * insertion.
-	 */
-	_PRIV_RESERVED0,
-	_PRIV_RESERVED1,
-	_PRIV_RESERVED2,
-	_PRIV_RESERVED3,
-	_PRIV_RESERVED4,
-	_PRIV_RESERVED5,
-	_PRIV_RESERVED6,
-	_PRIV_RESERVED7,
-	_PRIV_RESERVED8,
-	_PRIV_RESERVED9,
-	_PRIV_RESERVED10,
-	_PRIV_RESERVED11,
-	_PRIV_RESERVED12,
-	_PRIV_RESERVED13,
-	_PRIV_RESERVED14,
-	_PRIV_RESERVED15,
+/*
+ * Set of reserved privilege values, which will be allocated to code
+ * as needed, in order to avoid renumbering later privileges due to
+ * insertion.
+ */
+#define	_PRIV_RESERVED0		660
+#define	_PRIV_RESERVED1		661
+#define	_PRIV_RESERVED2		662
+#define	_PRIV_RESERVED3		663
+#define	_PRIV_RESERVED4		664
+#define	_PRIV_RESERVED5		665
+#define	_PRIV_RESERVED6		666
+#define	_PRIV_RESERVED7		667
+#define	_PRIV_RESERVED8		668
+#define	_PRIV_RESERVED9		669
+#define	_PRIV_RESERVED10	670
+#define	_PRIV_RESERVED11	671
+#define	_PRIV_RESERVED12	672
+#define	_PRIV_RESERVED13	673
+#define	_PRIV_RESERVED14	674
+#define	_PRIV_RESERVED15	675
 
-	/*
-	 * Define a set of valid privilege numbers that can be used by
-	 * loadable modules that don't yet have privilege reservations.
-	 * Ideally, these should not be used, since their meaning is opaque
-	 * to any policies that are aware of specific privileges, such as
-	 * jail, and as such may be arbitrarily denied.
-	 */
-	PRIV_MODULE0,
-	PRIV_MODULE1,
-	PRIV_MODULE2,
-	PRIV_MODULE3,
-	PRIV_MODULE4,
-	PRIV_MODULE5,
-	PRIV_MODULE6,
-	PRIV_MODULE7,
-	PRIV_MODULE8,
-	PRIV_MODULE9,
-	PRIV_MODULE10,
-	PRIV_MODULE11,
-	PRIV_MODULE12,
-	PRIV_MODULE13,
-	PRIV_MODULE14,
-	PRIV_MODULE15,
+/*
+ * Define a set of valid privilege numbers that can be used by
+ * loadable modules that don't yet have privilege reservations.
+ * Ideally, these should not be used, since their meaning is opaque
+ * to any policies that are aware of specific privileges, such as
+ * jail, and as such may be arbitrarily denied.
+ */
+#define	PRIV_MODULE0		700
+#define	PRIV_MODULE1		701
+#define	PRIV_MODULE2		702
+#define	PRIV_MODULE3		703
+#define	PRIV_MODULE4		704
+#define	PRIV_MODULE5		705
+#define	PRIV_MODULE6		706
+#define	PRIV_MODULE7		707
+#define	PRIV_MODULE8		708
+#define	PRIV_MODULE9		709
+#define	PRIV_MODULE10		710
+#define	PRIV_MODULE11		711
+#define	PRIV_MODULE12		712
+#define	PRIV_MODULE13		713
+#define	PRIV_MODULE14		714
+#define	PRIV_MODULE15		715
 
-	/* Track end of privilege list. */
-	_PRIV_HIGHEST
-};
+/*
+ * Track end of privilege list.
+ */
+#define	_PRIV_HIGHEST		716
 
 /*
  * Validate that a named privilege is known by the privilege system.  Invalid
@@ -311,8 +447,8 @@
  */
 struct thread;
 struct ucred;
-int	priv_check(struct thread *td, enum priv priv);
-int	priv_check_cred(struct ucred *cred, enum priv priv, int flags);
+int	priv_check(struct thread *td, int priv);
+int	priv_check_cred(struct ucred *cred, int priv, int flags);
 #endif
 
 #endif /* !_SYS_PRIV_H_ */