From 874fef3711edde585a8352a92a88c553884aa3f7 Mon Sep 17 00:00:00 2001
From: elad <elad@NetBSD.org>
Date: Sun, 14 May 2006 21:19:33 +0000
Subject: [PATCH] integrate kauth.

---
 sys/altq/altq_afmap.c                         |  7 ++-
 sys/altq/altq_blue.c                          |  8 ++-
 sys/altq/altq_cbq.c                           |  7 ++-
 sys/altq/altq_cdnr.c                          |  8 ++-
 sys/altq/altq_conf.c                          |  8 ++-
 sys/altq/altq_fifoq.c                         |  8 ++-
 sys/altq/altq_hfsc.c                          |  8 ++-
 sys/altq/altq_priq.c                          |  8 ++-
 sys/altq/altq_red.c                           |  8 ++-
 sys/altq/altq_rio.c                           |  8 ++-
 sys/altq/altq_wfq.c                           |  8 ++-
 sys/coda/coda_namecache.c                     | 33 ++++++-----
 sys/coda/coda_namecache.h                     | 12 ++--
 sys/coda/coda_venus.c                         | 51 +++++++++--------
 sys/coda/coda_venus.h                         | 42 +++++++-------
 sys/coda/coda_vfsops.c                        | 15 ++---
 sys/coda/coda_vfsops.h                        |  6 +-
 sys/coda/coda_vnops.c                         | 57 ++++++++++---------
 sys/coda/coda_vnops.h                         |  6 +-
 sys/compat/common/compat_util.c               |  8 +--
 sys/compat/common/kern_info_43.c              |  7 ++-
 sys/compat/common/kern_sig_43.c               |  7 ++-
 sys/compat/common/kern_xxx_12.c               |  7 ++-
 sys/compat/common/vfs_syscalls_20.c           |  7 ++-
 sys/compat/common/vfs_syscalls_30.c           |  8 ++-
 sys/compat/darwin/darwin_attr.c               | 14 ++---
 sys/compat/darwin/darwin_sysctl.c             | 35 ++++++------
 sys/compat/freebsd/freebsd_sched.c            | 53 ++++++++---------
 sys/compat/freebsd/freebsd_syscallargs.h      |  2 +-
 sys/compat/hpux/hpux_compat.c                 | 47 ++++++++-------
 sys/compat/ibcs2/ibcs2_exec_coff.c            | 10 ++--
 sys/compat/ibcs2/ibcs2_exec_xout.c            |  6 +-
 sys/compat/ibcs2/ibcs2_fcntl.c                |  7 ++-
 sys/compat/ibcs2/ibcs2_misc.c                 |  9 +--
 sys/compat/irix/irix_fcntl.c                  |  6 +-
 sys/compat/irix/irix_ioctl.c                  |  6 +-
 sys/compat/irix/irix_mman.c                   | 10 ++--
 sys/compat/irix/irix_mount.c                  | 12 ++--
 sys/compat/irix/irix_prctl.c                  | 37 ++++++------
 sys/compat/irix/irix_usema.c                  | 10 ++--
 sys/compat/linux/arch/alpha/linux_machdep.c   |  6 +-
 .../linux/arch/amd64/linux_exec_machdep.c     | 12 ++--
 sys/compat/linux/arch/i386/linux_machdep.c    | 10 ++--
 sys/compat/linux/arch/m68k/linux_machdep.c    |  8 +--
 sys/compat/linux/arch/mips/linux_machdep.c    |  6 +-
 .../linux/arch/powerpc/linux_exec_powerpc.c   | 12 ++--
 sys/compat/linux/common/linux_exec_elf32.c    | 13 +++--
 sys/compat/linux/common/linux_file.c          |  6 +-
 sys/compat/linux/common/linux_file64.c        |  6 +-
 sys/compat/linux/common/linux_ioctl.c         |  6 +-
 sys/compat/linux/common/linux_misc.c          | 32 ++++++-----
 sys/compat/linux/common/linux_misc_notalpha.c | 22 ++++---
 sys/compat/linux/common/linux_sched.c         | 53 ++++++++---------
 sys/compat/linux/common/linux_socket.c        |  8 +--
 sys/compat/linux/common/linux_uselib.c        |  6 +-
 .../linux32/common/linux32_exec_elf32.c       | 12 ++--
 sys/compat/linux32/common/linux32_misc.c      |  6 +-
 sys/compat/linux32/common/linux32_time.c      |  6 +-
 sys/compat/mach/mach_task.c                   |  8 +--
 sys/compat/ndis/subr_pe.c                     |  2 +-
 sys/compat/netbsd32/netbsd32_compat_30.c      |  8 ++-
 sys/compat/netbsd32/netbsd32_exec_elf32.c     | 13 +++--
 sys/compat/netbsd32/netbsd32_fs.c             | 14 +++--
 sys/compat/netbsd32/netbsd32_netbsd.c         | 21 ++++---
 sys/compat/netbsd32/netbsd32_time.c           | 13 +++--
 sys/compat/osf1/osf1_exec_ecoff.c             |  8 +--
 sys/compat/ossaudio/ossaudio.c                |  6 +-
 sys/compat/pecoff/pecoff_exec.c               |  8 +--
 sys/compat/sunos/sunos_misc.c                 |  6 +-
 sys/compat/sunos32/sunos32_misc.c             |  7 ++-
 sys/compat/svr4/svr4_fcntl.c                  | 13 +++--
 sys/compat/svr4/svr4_sysent.c                 |  4 +-
 sys/compat/svr4_32/svr4_32_exec_elf32.c       | 12 ++--
 sys/compat/svr4_32/svr4_32_fcntl.c            | 13 +++--
 sys/compat/svr4_32/svr4_32_stat.c             |  9 +--
 sys/conf/files                                |  3 +-
 sys/conf/majors                               |  2 +-
 sys/contrib/dev/ath/netbsd/ah_osdep.c         |  6 +-
 sys/contrib/dev/ath/public/alpha-elf.hal.o.uu |  2 +-
 .../dev/ath/public/powerpc-le-eabi.hal.o.uu   |  2 +-
 sys/ddb/db_command.c                          |  4 +-
 sys/ddb/db_xxx.c                              |  7 ++-
 sys/net/agr/if_agr.c                          |  7 ++-
 sys/net/bpf.c                                 | 17 +++---
 sys/net/if.c                                  | 13 +++--
 sys/net/if_bridge.c                           |  9 ++-
 sys/net/if_ethersubr.c                        |  5 +-
 sys/net/if_gif.c                              | 14 +++--
 sys/net/if_gre.c                              | 17 +++---
 sys/net/if_ppp.c                              | 19 ++++---
 sys/net/if_pppoe.c                            |  7 ++-
 sys/net/if_sl.c                               |  7 ++-
 sys/net/if_spppsubr.c                         |  7 ++-
 sys/net/if_stf.c                              |  8 ++-
 sys/net/if_strip.c                            |  7 ++-
 sys/net/if_tap.c                              | 13 +++--
 sys/net/if_tun.c                              |  7 ++-
 sys/net/if_vlan.c                             |  7 ++-
 sys/net/net_osdep.h                           |  4 +-
 sys/net/ppp_tty.c                             | 13 +++--
 sys/net/raw_usrreq.c                          |  7 ++-
 sys/net/rtsock.c                              |  7 ++-
 sys/net80211/ieee80211_input.c                |  4 +-
 sys/net80211/ieee80211_ioctl.c                | 27 ++++++---
 sys/netatalk/at_control.c                     |  8 ++-
 sys/netatalk/ddp_usrreq.c                     |  8 ++-
 sys/netccitt/llc_subr.c                       |  4 +-
 sys/netccitt/pk_acct.c                        | 11 ++--
 sys/netccitt/pk_usrreq.c                      | 12 ++--
 sys/netinet/in.c                              | 14 +++--
 sys/netinet/in_pcb.c                          | 10 ++--
 sys/netinet/ip_output.c                       |  7 ++-
 sys/netinet/raw_ip.c                          |  8 ++-
 sys/netinet/tcp_timer.c                       |  4 +-
 sys/netinet/tcp_usrreq.c                      |  9 +--
 sys/netinet6/in6.c                            |  7 ++-
 sys/netinet6/in6_pcb.c                        |  8 ++-
 sys/netinet6/in6_src.c                        |  6 +-
 sys/netinet6/ip6_output.c                     | 11 ++--
 sys/netinet6/raw_ip6.c                        | 11 ++--
 sys/netinet6/udp6_output.c                    |  7 ++-
 sys/netipsec/ipsec_netbsd.c                   |  4 +-
 sys/netisdn/i4b_ipr.c                         |  8 ++-
 sys/netiso/esis.c                             |  9 ++-
 sys/netiso/iso.c                              |  9 ++-
 sys/netiso/iso_pcb.c                          |  7 ++-
 sys/netiso/iso_snpac.c                        |  7 ++-
 sys/netiso/tp_output.c                        |  8 ++-
 sys/netns/idp_usrreq.c                        |  8 ++-
 sys/netns/ns.c                                |  9 ++-
 sys/netns/ns_pcb.c                            |  9 ++-
 sys/netsmb/smb_conn.c                         | 50 +++++++++-------
 sys/netsmb/smb_dev.h                          |  4 +-
 sys/netsmb/smb_subr.c                         |  9 +--
 sys/netsmb/smb_subr.h                         |  9 +--
 135 files changed, 866 insertions(+), 692 deletions(-)

diff --git a/sys/altq/altq_afmap.c b/sys/altq/altq_afmap.c
index cb70c8d7bf1e..d87b56f16b50 100644
--- a/sys/altq/altq_afmap.c
+++ b/sys/altq/altq_afmap.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_afmap.c,v 1.10 2006/04/23 06:46:39 christos Exp $	*/
+/*	$NetBSD: altq_afmap.c,v 1.11 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_afmap.c,v 1.7 2000/12/14 08:12:45 thorpej Exp $	*/
 
 /*
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_afmap.c,v 1.10 2006/04/23 06:46:39 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_afmap.c,v 1.11 2006/05/14 21:24:49 elad Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -383,7 +383,8 @@ afmioctl(dev, cmd, addr, flag, l)
 #if (__FreeBSD_version > 400000)
 		error = suser(p);
 #else
-		error = suser(p->p_ucred, &p->p_acflag);
+		error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+					  &p->p_acflag);
 #endif
 		if (error)
 			return (error);
diff --git a/sys/altq/altq_blue.c b/sys/altq/altq_blue.c
index d9eb54bffeba..19558c4d614f 100644
--- a/sys/altq/altq_blue.c
+++ b/sys/altq/altq_blue.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_blue.c,v 1.14 2006/04/23 16:57:22 christos Exp $	*/
+/*	$NetBSD: altq_blue.c,v 1.15 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_blue.c,v 1.8 2002/01/07 11:25:40 kjc Exp $	*/
 
 /*
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_blue.c,v 1.14 2006/04/23 16:57:22 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_blue.c,v 1.15 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -177,7 +177,9 @@ blueioctl(dev, cmd, addr, flag, l)
 		if ((error = suser(p)) != 0)
 			return (error);
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 			return (error);
 #endif
 		break;
diff --git a/sys/altq/altq_cbq.c b/sys/altq/altq_cbq.c
index 4787189762cb..fe9bceae4aa8 100644
--- a/sys/altq/altq_cbq.c
+++ b/sys/altq/altq_cbq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_cbq.c,v 1.14 2006/04/23 16:57:22 christos Exp $	*/
+/*	$NetBSD: altq_cbq.c,v 1.15 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_cbq.c,v 1.11 2002/10/04 14:24:09 kjc Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.14 2006/04/23 16:57:22 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.15 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -860,7 +860,8 @@ cbqioctl(dev, cmd, addr, flag, l)
 #if (__FreeBSD_version > 400000)
 		error = suser(p);
 #else
-		error = suser(p->p_ucred, &p->p_acflag);
+		error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+					  &p->p_acflag);
 #endif
 		if (error)
 			return (error);
diff --git a/sys/altq/altq_cdnr.c b/sys/altq/altq_cdnr.c
index d1eab51593d4..3d00081d800c 100644
--- a/sys/altq/altq_cdnr.c
+++ b/sys/altq/altq_cdnr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_cdnr.c,v 1.11 2006/04/23 06:46:40 christos Exp $	*/
+/*	$NetBSD: altq_cdnr.c,v 1.12 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_cdnr.c,v 1.8 2000/12/14 08:12:45 thorpej Exp $	*/
 
 /*
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_cdnr.c,v 1.11 2006/04/23 06:46:40 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cdnr.c,v 1.12 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -1259,7 +1259,9 @@ cdnrioctl(dev, cmd, addr, flag, l)
 #if (__FreeBSD_version > 400000)
 		if ((error = suser(p)) != 0)
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 #endif
 			return (error);
 		break;
diff --git a/sys/altq/altq_conf.c b/sys/altq/altq_conf.c
index 2d142efb9eb9..9263d453a8bb 100644
--- a/sys/altq/altq_conf.c
+++ b/sys/altq/altq_conf.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_conf.c,v 1.12 2005/12/11 12:16:03 christos Exp $	*/
+/*	$NetBSD: altq_conf.c,v 1.13 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_conf.c,v 1.13 2002/01/29 10:16:01 kjc Exp $	*/
 
 /*
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_conf.c,v 1.12 2005/12/11 12:16:03 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_conf.c,v 1.13 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -275,7 +275,9 @@ altqioctl(dev, cmd, addr, flag, l)
 			if ((error = suser(p)) != 0)
 				return (error);
 #else
-			if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+			if ((error = kauth_authorize_generic(p->p_cred,
+						       KAUTH_GENERIC_ISSUSER,
+						       &p->p_acflag)) != 0)
 				return (error);
 #endif
 			break;
diff --git a/sys/altq/altq_fifoq.c b/sys/altq/altq_fifoq.c
index 70ef3cfa6978..41f48a669279 100644
--- a/sys/altq/altq_fifoq.c
+++ b/sys/altq/altq_fifoq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_fifoq.c,v 1.8 2006/04/23 06:46:40 christos Exp $	*/
+/*	$NetBSD: altq_fifoq.c,v 1.9 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_fifoq.c,v 1.7 2000/12/14 08:12:45 thorpej Exp $	*/
 
 /*
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_fifoq.c,v 1.8 2006/04/23 06:46:40 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_fifoq.c,v 1.9 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -139,7 +139,9 @@ fifoqioctl(dev, cmd, addr, flag, l)
 		if ((error = suser(p)) != 0)
 			return (error);
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 			return (error);
 #endif
 		break;
diff --git a/sys/altq/altq_hfsc.c b/sys/altq/altq_hfsc.c
index 32ec0cb6ee34..ace13099f9ae 100644
--- a/sys/altq/altq_hfsc.c
+++ b/sys/altq/altq_hfsc.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_hfsc.c,v 1.14 2006/04/23 16:57:22 christos Exp $	*/
+/*	$NetBSD: altq_hfsc.c,v 1.15 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_hfsc.c,v 1.9 2001/10/26 04:56:11 kjc Exp $	*/
 
 /*
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.14 2006/04/23 16:57:22 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.15 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -1455,7 +1455,9 @@ hfscioctl(dev, cmd, addr, flag, l)
 		if ((error = suser(p)) != 0)
 			return (error);
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 			return (error);
 #endif
 		break;
diff --git a/sys/altq/altq_priq.c b/sys/altq/altq_priq.c
index 7dc63af235ad..1489638f3041 100644
--- a/sys/altq/altq_priq.c
+++ b/sys/altq/altq_priq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_priq.c,v 1.10 2006/04/23 06:46:40 christos Exp $	*/
+/*	$NetBSD: altq_priq.c,v 1.11 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_priq.c,v 1.2 2001/10/26 04:56:11 kjc Exp $	*/
 /*
  * Copyright (C) 2000
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.10 2006/04/23 06:46:40 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.11 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -549,7 +549,9 @@ priqioctl(dev, cmd, addr, flag, l)
 		if ((error = suser(p)) != 0)
 			return (error);
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 			return (error);
 #endif
 		break;
diff --git a/sys/altq/altq_red.c b/sys/altq/altq_red.c
index ac78c4931794..f751170ae89e 100644
--- a/sys/altq/altq_red.c
+++ b/sys/altq/altq_red.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_red.c,v 1.15 2006/04/23 16:57:22 christos Exp $	*/
+/*	$NetBSD: altq_red.c,v 1.16 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_red.c,v 1.9 2002/01/07 11:25:40 kjc Exp $	*/
 
 /*
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_red.c,v 1.15 2006/04/23 16:57:22 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_red.c,v 1.16 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -271,7 +271,9 @@ redioctl(dev, cmd, addr, flag, l)
 #if (__FreeBSD_version > 400000)
 		if ((error = suser(p)) != 0)
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 #endif
 			return (error);
 		break;
diff --git a/sys/altq/altq_rio.c b/sys/altq/altq_rio.c
index 65e0038bec55..e9fb087af183 100644
--- a/sys/altq/altq_rio.c
+++ b/sys/altq/altq_rio.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_rio.c,v 1.9 2006/04/23 06:46:40 christos Exp $	*/
+/*	$NetBSD: altq_rio.c,v 1.10 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_rio.c,v 1.8 2000/12/14 08:12:46 thorpej Exp $	*/
 
 /*
@@ -60,7 +60,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_rio.c,v 1.9 2006/04/23 06:46:40 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_rio.c,v 1.10 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -246,7 +246,9 @@ rioioctl(dev, cmd, addr, flag, l)
 		if ((error = suser(p)) != 0)
 			return (error);
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 			return (error);
 #endif
 		break;
diff --git a/sys/altq/altq_wfq.c b/sys/altq/altq_wfq.c
index b61027d0be7d..001e3520ca21 100644
--- a/sys/altq/altq_wfq.c
+++ b/sys/altq/altq_wfq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_wfq.c,v 1.10 2006/04/23 06:46:40 christos Exp $	*/
+/*	$NetBSD: altq_wfq.c,v 1.11 2006/05/14 21:24:49 elad Exp $	*/
 /*	$KAME: altq_wfq.c,v 1.7 2000/12/14 08:12:46 thorpej Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.10 2006/04/23 06:46:40 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.11 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 #include "opt_altq.h"
@@ -689,7 +689,9 @@ wfqioctl(dev, cmd, addr, flag, l)
 #if (__FreeBSD_version > 400000)
 		if ((error = suser(p)) != 0)
 #else
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &p->p_acflag)) != 0)
 #endif
 			return (error);
 		break;
diff --git a/sys/coda/coda_namecache.c b/sys/coda/coda_namecache.c
index 91c6fb102c0b..76b01fe936a1 100644
--- a/sys/coda/coda_namecache.c
+++ b/sys/coda/coda_namecache.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_namecache.c,v 1.17 2005/12/11 12:19:50 christos Exp $	*/
+/*	$NetBSD: coda_namecache.c,v 1.18 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -77,12 +77,13 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_namecache.c,v 1.17 2005/12/11 12:19:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_namecache.c,v 1.18 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/errno.h>
 #include <sys/malloc.h>
 #include <sys/select.h>
+#include <sys/kauth.h>
 
 #include <coda/coda.h>
 #include <coda/cnode.h>
@@ -121,7 +122,7 @@ int coda_nc_debug = 0;
  */
 static struct coda_cache *
 coda_nc_find(struct cnode *dcp, const char *name, int namelen,
-	struct ucred *cred, int hash);
+	kauth_cred_t cred, int hash);
 static void
 coda_nc_remove(struct coda_cache *cncp, enum dc_status dcstat);
 
@@ -172,7 +173,7 @@ coda_nc_init(void)
 
 static struct coda_cache *
 coda_nc_find(struct cnode *dcp, const char *name, int namelen,
-	struct ucred *cred, int hash)
+	kauth_cred_t cred, int hash)
 {
 	/*
 	 * hash to find the appropriate bucket, look through the chain
@@ -202,8 +203,12 @@ coda_nc_find(struct cnode *dcp, const char *name, int namelen,
 	    	printf("coda_nc_find: name %s, new cred = %p, cred = %p\n",
 			name, cred, cncp->cred);
 		printf("nref %d, nuid %d, ngid %d // oref %d, ocred %d, ogid %d\n",
-			cred->cr_ref, cred->cr_uid, cred->cr_gid,
-			cncp->cred->cr_ref, cncp->cred->cr_uid, cncp->cred->cr_gid);
+			kauth_cred_getrefcnt(cred),
+			kauth_cred_geteuid(cred),
+			kauth_cred_getegid(cred),
+			kauth_cred_getrefcnt(cncp->cred),
+			kauth_cred_geteuid(cncp->cred),
+			kauth_cred_getegid(cncp->cred));
 		print_cred(cred);
 		print_cred(cncp->cred);
 	    }
@@ -219,7 +224,7 @@ coda_nc_find(struct cnode *dcp, const char *name, int namelen,
  */
 void
 coda_nc_enter(struct cnode *dcp, const char *name, int namelen,
-	struct ucred *cred, struct cnode *cp)
+	kauth_cred_t cred, struct cnode *cp)
 {
     struct coda_cache *cncp;
     int hash;
@@ -262,7 +267,7 @@ coda_nc_enter(struct cnode *dcp, const char *name, int namelen,
 	CODA_NC_HSHREM(cncp);
 	vrele(CTOV(cncp->dcp));
 	vrele(CTOV(cncp->cp));
-	crfree(cncp->cred);
+	kauth_cred_free(cncp->cred);
     }
 
     /*
@@ -270,7 +275,7 @@ coda_nc_enter(struct cnode *dcp, const char *name, int namelen,
      */
     vref(CTOV(cp));
     vref(CTOV(dcp));
-    crhold(cred);
+    kauth_cred_hold(cred);
     cncp->dcp = dcp;
     cncp->cp = cp;
     cncp->namelen = namelen;
@@ -293,7 +298,7 @@ coda_nc_enter(struct cnode *dcp, const char *name, int namelen,
  */
 struct cnode *
 coda_nc_lookup(struct cnode *dcp, const char *name, int namelen,
-	struct ucred *cred)
+	kauth_cred_t cred)
 {
 	int hash;
 	struct coda_cache *cncp;
@@ -364,7 +369,7 @@ coda_nc_remove(struct coda_cache *cncp, enum dc_status dcstat)
 	}
 	vrele(CTOV(cncp->cp));
 
-	crfree(cncp->cred);
+	kauth_cred_free(cncp->cred);
 	memset(DATA_PART(cncp), 0, DATA_SIZE);
 
 	/* Put the null entry just after the least-recently-used entry */
@@ -451,7 +456,7 @@ coda_nc_zapfid(CodaFid *fid, enum dc_status dcstat)
  * Remove all entries which match the fid and the cred
  */
 void
-coda_nc_zapvnode(CodaFid *fid, struct ucred *cred, enum dc_status dcstat)
+coda_nc_zapvnode(CodaFid *fid, kauth_cred_t cred, enum dc_status dcstat)
 {
 	/* See comment for zapfid. I don't think that one would ever
 	   want to zap a file with a specific cred from the kernel.
@@ -533,7 +538,7 @@ coda_nc_purge_user(uid_t uid, enum dc_status dcstat)
 		ncncp = CODA_NC_LRUGET(*cncp);
 
 		if ((CODA_NC_VALID(cncp)) &&
-		   ((cncp->cred)->cr_uid == uid)) {
+		   (kauth_cred_geteuid(cncp->cred) == uid)) {
 		        /* Seems really ugly, but we have to decrement the appropriate
 			   hash bucket length here, so we have to find the hash bucket
 			   */
@@ -598,7 +603,7 @@ coda_nc_flush(enum dc_status dcstat)
 			}
 			vrele(CTOV(cncp->cp));
 
-			crfree(cncp->cred);
+			kauth_cred_free(cncp->cred);
 			memset(DATA_PART(cncp), 0, DATA_SIZE);
 		}
 	}
diff --git a/sys/coda/coda_namecache.h b/sys/coda/coda_namecache.h
index 757e3f5d5186..9110a7b06b61 100644
--- a/sys/coda/coda_namecache.h
+++ b/sys/coda/coda_namecache.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_namecache.h,v 1.9 2005/12/11 12:19:50 christos Exp $	*/
+/*	$NetBSD: coda_namecache.h,v 1.10 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -114,7 +114,7 @@ struct coda_cache {
 	struct coda_cache	*lru_next, *lru_prev;	/* LRU list */
 	struct cnode	*cp;			/* vnode of the file */
 	struct cnode	*dcp;			/* parent's cnode */
-	struct ucred	*cred;			/* user credentials */
+	kauth_cred_t    cred;			/* user credentials */
 	char		name[CODA_NC_NAMELEN];	/* segment name */
 	int		namelen;		/* length of name */
 };
@@ -139,12 +139,14 @@ struct coda_hash {		/* Start of Hash chain */
 
 /* Prototypes of functions exported within cfs */
 extern void coda_nc_init(void);
-extern void coda_nc_enter(struct cnode *, const char *, int, struct ucred *, struct cnode *);
-extern struct cnode *coda_nc_lookup(struct cnode *, const char *, int, struct ucred *);
+extern void coda_nc_enter(struct cnode *, const char *, int,
+    kauth_cred_t, struct cnode *);
+extern struct cnode *coda_nc_lookup(struct cnode *, const char *, int, 
+    kauth_cred_t);
 
 extern void coda_nc_zapParentfid(CodaFid *, enum dc_status);
 extern void coda_nc_zapfid(CodaFid *, enum dc_status);
-extern void coda_nc_zapvnode(CodaFid *, struct ucred *, enum dc_status);
+extern void coda_nc_zapvnode(CodaFid *, kauth_cred_t, enum dc_status);
 extern void coda_nc_zapfile(struct cnode *, const char *, int);
 extern void coda_nc_purge_user(uid_t, enum dc_status);
 extern void coda_nc_flush(enum dc_status);
diff --git a/sys/coda/coda_venus.c b/sys/coda/coda_venus.c
index cd768df5ec70..d59824c6e3a1 100644
--- a/sys/coda/coda_venus.c
+++ b/sys/coda/coda_venus.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_venus.c,v 1.23 2006/04/12 00:59:56 christos Exp $	*/
+/*	$NetBSD: coda_venus.c,v 1.24 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.23 2006/04/12 00:59:56 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.24 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -42,6 +42,7 @@ __KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.23 2006/04/12 00:59:56 christos Exp
 #include <sys/ioctl.h>
 /* for CNV_OFLAGS below */
 #include <sys/fcntl.h>
+#include <sys/kauth.h>
 
 #include <coda/coda.h>
 #include <coda/cnode.h>
@@ -119,8 +120,8 @@ __KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.23 2006/04/12 00:59:56 christos Exp
 	  KASSERT(cred != NULL); \
 	  KASSERT(cred != FSCRED); \
           if (ident != NOCRED) {                              \
-	      (in)->cred.cr_uid = ident->cr_uid;              \
-	      (in)->cred.cr_groupid = ident->cr_gid;          \
+	      (in)->cred.cr_uid = kauth_cred_geteuid(ident);              \
+	      (in)->cred.cr_groupid = kauth_cred_getegid(ident);          \
           } else {                                            \
 	      memset(&((in)->cred), 0, sizeof(struct coda_cred)); \
 	      (in)->cred.cr_uid = -1;                         \
@@ -136,7 +137,7 @@ __KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.23 2006/04/12 00:59:56 christos Exp
 	  KASSERT(cred != NULL); \
 	  KASSERT(cred != FSCRED); \
           if (ident != NOCRED) {                \
-	      (in)->uid = ident->cr_uid;        \
+	      (in)->uid = kauth_cred_geteuid(ident);        \
           } else {                              \
 	      (in)->uid = -1;                   \
           }                                                   \
@@ -204,7 +205,7 @@ int coda_kernel_version = CODA_KERNEL_VERSION;
 
 int
 venus_root(void *mdp,
-	struct ucred *cred, struct proc *p,
+	kauth_cred_t cred, struct proc *p,
 /*out*/	CodaFid *VFid)
 {
     DECL_NO_IN(coda_root);		/* sets Isize & Osize */
@@ -223,7 +224,7 @@ venus_root(void *mdp,
 
 int
 venus_open(void *mdp, CodaFid *fid, int flag,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	dev_t *dev, ino_t *inode)
 {
     int cflag;
@@ -249,7 +250,7 @@ venus_open(void *mdp, CodaFid *fid, int flag,
 
 int
 venus_close(void *mdp, CodaFid *fid, int flag,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     int cflag;
     DECL_NO_OUT(coda_close);		/* sets Isize & Osize */
@@ -287,7 +288,7 @@ venus_write(void)
 int
 venus_ioctl(void *mdp, CodaFid *fid,
 	int com, int flag, caddr_t data,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL(coda_ioctl);			/* sets Isize & Osize */
     struct PioctlData *iap = (struct PioctlData *)data;
@@ -342,7 +343,7 @@ venus_ioctl(void *mdp, CodaFid *fid,
 
 int
 venus_getattr(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	struct vattr *vap)
 {
     DECL(coda_getattr);			/* sets Isize & Osize */
@@ -363,7 +364,7 @@ venus_getattr(void *mdp, CodaFid *fid,
 
 int
 venus_setattr(void *mdp, CodaFid *fid, struct vattr *vap,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_setattr);		/* sets Isize & Osize */
     ALLOC_NO_OUT(coda_setattr);		/* sets inp & outp */
@@ -381,7 +382,7 @@ venus_setattr(void *mdp, CodaFid *fid, struct vattr *vap,
 
 int
 venus_access(void *mdp, CodaFid *fid, int mode,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_access);		/* sets Isize & Osize */
     ALLOC_NO_OUT(coda_access);		/* sets inp & outp */
@@ -399,7 +400,7 @@ venus_access(void *mdp, CodaFid *fid, int mode,
 
 int
 venus_readlink(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	char **str, int *len)
 {
     DECL(coda_readlink);			/* sets Isize & Osize */
@@ -456,7 +457,7 @@ out:
 
 int
 venus_fsync(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_fsync);		/* sets Isize & Osize */
     ALLOC_NO_OUT(coda_fsync);		/* sets inp & outp */
@@ -474,7 +475,7 @@ venus_fsync(void *mdp, CodaFid *fid,
 int
 venus_lookup(void *mdp, CodaFid *fid,
     	const char *nm, int len,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	CodaFid *VFid, int *vtype)
 {
     DECL(coda_lookup);			/* sets Isize & Osize */
@@ -513,7 +514,7 @@ venus_lookup(void *mdp, CodaFid *fid,
 int
 venus_create(void *mdp, CodaFid *fid,
     	const char *nm, int len, int exclusive, int mode, struct vattr *va,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	CodaFid *VFid, struct vattr *attr)
 {
     DECL(coda_create);			/* sets Isize & Osize */
@@ -544,7 +545,7 @@ venus_create(void *mdp, CodaFid *fid,
 int
 venus_remove(void *mdp, CodaFid *fid,
         const char *nm, int len,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_remove);		/* sets Isize & Osize */
     coda_remove_size += len + 1;
@@ -566,7 +567,7 @@ venus_remove(void *mdp, CodaFid *fid,
 int
 venus_link(void *mdp, CodaFid *fid, CodaFid *tfid,
         const char *nm, int len,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_link);		/* sets Isize & Osize */
     coda_link_size += len + 1;
@@ -589,7 +590,7 @@ venus_link(void *mdp, CodaFid *fid, CodaFid *tfid,
 int
 venus_rename(void *mdp, CodaFid *fid, CodaFid *tfid,
         const char *nm, int len, const char *tnm, int tlen,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_rename);		/* sets Isize & Osize */
     coda_rename_size += len + 1 + tlen + 1;
@@ -615,7 +616,7 @@ venus_rename(void *mdp, CodaFid *fid, CodaFid *tfid,
 int
 venus_mkdir(void *mdp, CodaFid *fid,
     	const char *nm, int len, struct vattr *va,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	CodaFid *VFid, struct vattr *ova)
 {
     DECL(coda_mkdir);			/* sets Isize & Osize */
@@ -644,7 +645,7 @@ venus_mkdir(void *mdp, CodaFid *fid,
 int
 venus_rmdir(void *mdp, CodaFid *fid,
     	const char *nm, int len,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_rmdir);		/* sets Isize & Osize */
     coda_rmdir_size += len + 1;
@@ -666,7 +667,7 @@ venus_rmdir(void *mdp, CodaFid *fid,
 int
 venus_symlink(void *mdp, CodaFid *fid,
         const char *lnm, int llen, const char *nm, int len, struct vattr *va,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
     DECL_NO_OUT(coda_symlink);		/* sets Isize & Osize */
     coda_symlink_size += llen + 1 + len + 1;
@@ -692,7 +693,7 @@ venus_symlink(void *mdp, CodaFid *fid,
 int
 venus_readdir(void *mdp, CodaFid *fid,
     	int count, int offset,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	char *buffer, int *len)
 {
     DECL(coda_readdir);			/* sets Isize & Osize */
@@ -718,7 +719,7 @@ venus_readdir(void *mdp, CodaFid *fid,
 }
 
 int
-venus_statfs(void *mdp, struct ucred *cred, struct lwp *l,
+venus_statfs(void *mdp, kauth_cred_t cred, struct lwp *l,
    /*out*/   struct coda_statfs *fsp)
 {
     DECL(coda_statfs);			/* sets Isize & Osize */
@@ -739,7 +740,7 @@ venus_statfs(void *mdp, struct ucred *cred, struct lwp *l,
 
 int
 venus_fhtovp(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct proc *p,
+	kauth_cred_t cred, struct proc *p,
 /*out*/	CodaFid *VFid, int *vtype)
 {
     DECL(coda_vget);			/* sets Isize & Osize */
diff --git a/sys/coda/coda_venus.h b/sys/coda/coda_venus.h
index 864689d6fdee..d85e1137c43d 100644
--- a/sys/coda/coda_venus.h
+++ b/sys/coda/coda_venus.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_venus.h,v 1.9 2005/12/11 12:19:50 christos Exp $	*/
+/*	$NetBSD: coda_venus.h,v 1.10 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -33,17 +33,17 @@
 
 int
 venus_root(void *mdp,
-	struct ucred *cred, struct proc *p,
+	kauth_cred_t cred, struct proc *p,
 /*out*/	CodaFid *VFid);
 
 int
 venus_open(void *mdp, CodaFid *fid, int flag,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	dev_t *dev, ino_t *inode);
 
 int
 venus_close(void *mdp, CodaFid *fid, int flag,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 void
 venus_read(void);
@@ -54,84 +54,84 @@ venus_write(void);
 int
 venus_ioctl(void *mdp, CodaFid *fid,
 	int com, int flag, caddr_t data,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_getattr(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	struct vattr *vap);
 
 int
 venus_setattr(void *mdp, CodaFid *fid, struct vattr *vap,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_access(void *mdp, CodaFid *fid, int mode,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_readlink(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	char **str, int *len);
 
 int
 venus_fsync(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_lookup(void *mdp, CodaFid *fid,
     	const char *nm, int len,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	CodaFid *VFid, int *vtype);
 
 int
 venus_create(void *mdp, CodaFid *fid,
     	const char *nm, int len, int exclusive, int mode, struct vattr *va,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	CodaFid *VFid, struct vattr *attr);
 
 int
 venus_remove(void *mdp, CodaFid *fid,
         const char *nm, int len,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_link(void *mdp, CodaFid *fid, CodaFid *tfid,
         const char *nm, int len,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_rename(void *mdp, CodaFid *fid, CodaFid *tfid,
         const char *nm, int len, const char *tnm, int tlen,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_mkdir(void *mdp, CodaFid *fid,
     	const char *nm, int len, struct vattr *va,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	CodaFid *VFid, struct vattr *ova);
 
 int
 venus_rmdir(void *mdp, CodaFid *fid,
     	const char *nm, int len,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_symlink(void *mdp, CodaFid *fid,
         const char *lnm, int llen, const char *nm, int len, struct vattr *va,
-	struct ucred *cred, struct lwp *l);
+	kauth_cred_t cred, struct lwp *l);
 
 int
 venus_readdir(void *mdp, CodaFid *fid,
     	int count, int offset,
-	struct ucred *cred, struct lwp *l,
+	kauth_cred_t cred, struct lwp *l,
 /*out*/	char *buffer, int *len);
 
 int
-venus_statfs(void *mdp, struct ucred *cred, struct lwp *l,
+venus_statfs(void *mdp, kauth_cred_t cred, struct lwp *l,
    /*out*/   struct coda_statfs *fsp);
 
 int
 venus_fhtovp(void *mdp, CodaFid *fid,
-	struct ucred *cred, struct proc *p,
+	kauth_cred_t cred, struct proc *p,
 /*out*/	CodaFid *VFid, int *vtype);
diff --git a/sys/coda/coda_vfsops.c b/sys/coda/coda_vfsops.c
index e4f0f3ddc001..0808697b6174 100644
--- a/sys/coda/coda_vfsops.c
+++ b/sys/coda/coda_vfsops.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_vfsops.c,v 1.47 2005/12/11 12:19:50 christos Exp $	*/
+/*	$NetBSD: coda_vfsops.c,v 1.48 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -45,7 +45,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.47 2005/12/11 12:19:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.48 2006/05/14 21:24:49 elad Exp $");
 
 #ifdef	_LKM
 #define	NVCODA 4
@@ -63,6 +63,7 @@ __KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.47 2005/12/11 12:19:50 christos Ex
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/select.h>
+#include <sys/kauth.h>
 
 #include <coda/coda.h>
 #include <coda/cnode.h>
@@ -353,7 +354,7 @@ coda_root(struct mount *vfsp, struct vnode **vpp)
 	    }
     }
 
-    error = venus_root(vftomi(vfsp), p->p_cred->pc_ucred, p, &VFid);
+    error = venus_root(vftomi(vfsp), p->p_cred, p, &VFid);
 
     if (!error) {
 	/*
@@ -426,7 +427,7 @@ coda_nb_statvfs(struct mount *vfsp, struct statvfs *sbp, struct lwp *l)
      */
     /* Note: Normal fs's have a bsize of 0x400 == 1024 */
 
-    error = venus_statfs(vftomi(vfsp), p->p_cred->pc_ucred, l, &fsstat);
+    error = venus_statfs(vftomi(vfsp), p->p_cred, l, &fsstat);
 
     if (!error) {
 	sbp->f_bsize = 8192; /* XXX */
@@ -451,7 +452,7 @@ coda_nb_statvfs(struct mount *vfsp, struct statvfs *sbp, struct lwp *l)
  * Flush any pending I/O.
  */
 int
-coda_sync(struct mount *vfsp, int waitfor, struct ucred *cred, struct lwp *l)
+coda_sync(struct mount *vfsp, int waitfor, kauth_cred_t cred, struct lwp *l)
 {
     ENTRY;
     MARK_ENTRY(CODA_SYNC_STATS);
@@ -473,7 +474,7 @@ coda_vget(struct mount *vfsp, ino_t ino, struct vnode **vpp)
  */
 int
 coda_fhtovp(struct mount *vfsp, struct fid *fhp, struct mbuf *nam,
-	struct vnode **vpp, int *exflagsp, struct ucred **creadanonp)
+	struct vnode **vpp, int *exflagsp, kauth_cred_t *creadanonp)
 {
     struct cfid *cfid = (struct cfid *)fhp;
     struct cnode *cp = 0;
@@ -493,7 +494,7 @@ coda_fhtovp(struct mount *vfsp, struct fid *fhp, struct mbuf *nam,
 	return(0);
     }
 
-    error = venus_fhtovp(vftomi(vfsp), &cfid->cfid_fid, p->p_cred->pc_ucred, p, &VFid, &vtype);
+    error = venus_fhtovp(vftomi(vfsp), &cfid->cfid_fid, p->p_cred, p, &VFid, &vtype);
 
     if (error) {
 	CODADEBUG(CODA_VGET, myprintf(("vget error %d\n",error));)
diff --git a/sys/coda/coda_vfsops.h b/sys/coda/coda_vfsops.h
index e6791c83b0a7..80f23e1181ae 100644
--- a/sys/coda/coda_vfsops.h
+++ b/sys/coda/coda_vfsops.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_vfsops.h,v 1.14 2005/12/11 12:19:50 christos Exp $	*/
+/*	$NetBSD: coda_vfsops.h,v 1.15 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -53,10 +53,10 @@ int coda_unmount(struct mount *, int, struct lwp *);
 int coda_root(struct mount *, struct vnode **);
 int coda_quotactl(struct mount *, int, uid_t, void *, struct lwp *);
 int coda_nb_statvfs(struct mount *, struct statvfs *, struct lwp *);
-int coda_sync(struct mount *, int, struct ucred *, struct lwp *);
+int coda_sync(struct mount *, int, kauth_cred_t, struct lwp *);
 int coda_vget(struct mount *, ino_t, struct vnode **);
 int coda_fhtovp(struct mount *, struct fid *, struct mbuf *, struct vnode **,
-		       int *, struct ucred **);
+		       int *, kauth_cred_t *);
 int coda_vptofh(struct vnode *, struct fid *);
 void coda_init(void);
 void coda_done(void);
diff --git a/sys/coda/coda_vnops.c b/sys/coda/coda_vnops.c
index 811ab53a3267..b040eff56a1b 100644
--- a/sys/coda/coda_vnops.c
+++ b/sys/coda/coda_vnops.c
@@ -6,7 +6,7 @@ mkdir
 rmdir
 symlink
 */
-/*	$NetBSD: coda_vnops.c,v 1.48 2006/04/12 01:05:14 christos Exp $	*/
+/*	$NetBSD: coda_vnops.c,v 1.49 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -54,7 +54,7 @@ symlink
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.48 2006/04/12 01:05:14 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.49 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -69,6 +69,8 @@ __KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.48 2006/04/12 01:05:14 christos Exp
 #include <sys/proc.h>
 #include <sys/select.h>
 #include <sys/user.h>
+#include <sys/kauth.h>
+
 #include <miscfs/genfs/genfs.h>
 
 #include <coda/coda.h>
@@ -224,7 +226,7 @@ coda_open(void *v)
     struct vnode **vpp = &(ap->a_vp);
     struct cnode *cp = VTOC(*vpp);
     int flag = ap->a_mode & (~O_EXCL);
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     struct lwp *l = ap->a_l;
 /* locals */
     int error;
@@ -301,7 +303,7 @@ coda_close(void *v)
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
     int flag = ap->a_fflag;
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     struct lwp *l = ap->a_l;
 /* locals */
     int error;
@@ -374,7 +376,7 @@ coda_write(void *v)
 
 int
 coda_rdwr(struct vnode *vp, struct uio *uiop, enum uio_rw rw, int ioflag,
-	struct ucred *cred, struct lwp *l)
+	kauth_cred_t cred, struct lwp *l)
 {
 /* upcall decl */
   /* NOTE: container file operation!!! */
@@ -477,7 +479,7 @@ coda_ioctl(void *v)
     int com = ap->a_command;
     caddr_t data = ap->a_data;
     int flag = ap->a_fflag;
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     struct lwp  *l = ap->a_l;
 /* locals */
     int error;
@@ -561,7 +563,7 @@ coda_getattr(void *v)
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
     struct vattr *vap = ap->a_vap;
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     struct lwp *l = ap->a_l;
 /* locals */
     int error;
@@ -613,7 +615,7 @@ coda_setattr(void *v)
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
     struct vattr *vap = ap->a_vap;
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     struct lwp *l = ap->a_l;
 /* locals */
     int error;
@@ -646,7 +648,7 @@ coda_access(void *v)
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
     int mode = ap->a_mode;
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     struct lwp *l = ap->a_l;
 /* locals */
     int error;
@@ -711,7 +713,7 @@ coda_readlink(void *v)
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
     struct uio *uiop = ap->a_uio;
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
 /* locals */
     struct lwp *l = curlwp;
     int error;
@@ -761,7 +763,7 @@ coda_fsync(void *v)
     struct vop_fsync_args *ap = v;
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     struct lwp *l = ap->a_l;
 /* locals */
     struct vnode *convp = cp->c_ovp;
@@ -813,7 +815,7 @@ coda_inactive(void *v)
     struct vop_inactive_args *ap = v;
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
-    struct ucred *cred __attribute__((unused)) = NULL;
+    kauth_cred_t cred __attribute__((unused)) = NULL;
     struct lwp *l __attribute__((unused)) = curlwp;
 /* upcall decl */
 /* locals */
@@ -893,7 +895,7 @@ coda_lookup(void *v)
      * could be wrong.
      */
     struct componentname  *cnp = ap->a_cnp;
-    struct ucred *cred = cnp->cn_cred;
+    kauth_cred_t cred = cnp->cn_cred;
     struct lwp *l = cnp->cn_lwp;
 /* locals */
     struct cnode *cp;
@@ -1055,7 +1057,7 @@ coda_create(void *v)
     int mode = ap->a_vap->va_mode;
     struct vnode **vpp = ap->a_vpp;
     struct componentname  *cnp = ap->a_cnp;
-    struct ucred *cred = cnp->cn_cred;
+    kauth_cred_t cred = cnp->cn_cred;
     struct lwp *l = cnp->cn_lwp;
 /* locals */
     int error;
@@ -1155,7 +1157,7 @@ coda_remove(void *v)
     struct vnode *dvp = ap->a_dvp;
     struct cnode *cp = VTOC(dvp);
     struct componentname  *cnp = ap->a_cnp;
-    struct ucred *cred = cnp->cn_cred;
+    kauth_cred_t cred = cnp->cn_cred;
     struct lwp *l = cnp->cn_lwp;
 /* locals */
     int error;
@@ -1230,7 +1232,7 @@ coda_link(void *v)
     struct vnode *tdvp = ap->a_dvp;
     struct cnode *tdcp = VTOC(tdvp);
     struct componentname *cnp = ap->a_cnp;
-    struct ucred *cred = cnp->cn_cred;
+    kauth_cred_t cred = cnp->cn_cred;
     struct lwp *l = cnp->cn_lwp;
 /* locals */
     int error;
@@ -1309,7 +1311,7 @@ coda_rename(void *v)
     struct vnode *ndvp = ap->a_tdvp;
     struct cnode *ndcp = VTOC(ndvp);
     struct componentname  *tcnp = ap->a_tcnp;
-    struct ucred *cred = fcnp->cn_cred;
+    kauth_cred_t cred = fcnp->cn_cred;
     struct lwp *l = fcnp->cn_lwp;
 /* true args */
     int error;
@@ -1402,7 +1404,7 @@ coda_mkdir(void *v)
     struct componentname  *cnp = ap->a_cnp;
     struct vattr *va = ap->a_vap;
     struct vnode **vpp = ap->a_vpp;
-    struct ucred *cred = cnp->cn_cred;
+    kauth_cred_t cred = cnp->cn_cred;
     struct lwp *l = cnp->cn_lwp;
 /* locals */
     int error;
@@ -1491,7 +1493,7 @@ coda_rmdir(void *v)
     struct vnode *dvp = ap->a_dvp;
     struct cnode *dcp = VTOC(dvp);
     struct componentname  *cnp = ap->a_cnp;
-    struct ucred *cred = cnp->cn_cred;
+    kauth_cred_t cred = cnp->cn_cred;
     struct lwp *l = cnp->cn_lwp;
 /* true args */
     int error;
@@ -1555,7 +1557,7 @@ coda_symlink(void *v)
     struct componentname *cnp = ap->a_cnp;
     struct vattr *tva = ap->a_vap;
     char *path = ap->a_target;
-    struct ucred *cred = cnp->cn_cred;
+    kauth_cred_t cred = cnp->cn_cred;
     struct lwp *l = cnp->cn_lwp;
 /* locals */
     int error;
@@ -1645,7 +1647,7 @@ coda_readdir(void *v)
     struct vnode *vp = ap->a_vp;
     struct cnode *cp = VTOC(vp);
     struct uio *uiop = ap->a_uio;
-    struct ucred *cred = ap->a_cred;
+    kauth_cred_t cred = ap->a_cred;
     int *eofflag = ap->a_eofflag;
     off_t **cookies = ap->a_cookies;
     int *ncookies = ap->a_ncookies;
@@ -1911,15 +1913,18 @@ print_vattr(struct vattr *attr)
 
 /* How to print a ucred */
 void
-print_cred(struct ucred *cred)
+print_cred(kauth_cred_t cred)
 {
 
+	uint16_t ngroups;
 	int i;
 
-	myprintf(("ref %d\tuid %d\n",cred->cr_ref,cred->cr_uid));
+	myprintf(("ref %d\tuid %d\n", kauth_cred_getrefcnt(cred),
+		 kauth_cred_geteuid(cred)));
 
-	for (i=0; i < cred->cr_ngroups; i++)
-		myprintf(("\tgroup %d: (%d)\n",i,cred->cr_groups[i]));
+	ngroups = kauth_cred_ngroups(cred);
+	for (i=0; i < ngroups; i++)
+		myprintf(("\tgroup %d: (%d)\n", i, kauth_cred_group(cred, i)));
 	myprintf(("\n"));
 
 }
@@ -1976,7 +1981,7 @@ coda_getpages(void *v)
 	struct vnode *vp = ap->a_vp;
 	struct cnode *cp = VTOC(vp);
 	struct lwp *l = curlwp;
-	struct ucred *cred = l->l_proc->p_ucred;
+	kauth_cred_t cred = l->l_proc->p_cred;
 	int error;
 
 	/* Check for control object. */
diff --git a/sys/coda/coda_vnops.h b/sys/coda/coda_vnops.h
index d5052a1dd675..b8dea80f9b3b 100644
--- a/sys/coda/coda_vnops.h
+++ b/sys/coda/coda_vnops.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_vnops.h,v 1.12 2005/12/11 12:19:50 christos Exp $	*/
+/*	$NetBSD: coda_vnops.h,v 1.13 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  *
@@ -81,8 +81,8 @@ int coda_putpages(void *);
 
 int (**coda_vnodeop_p)(void *);
 int coda_rdwr(struct vnode *vp, struct uio *uiop, enum uio_rw rw,
-    int ioflag, struct ucred *cred, struct lwp *l);
+    int ioflag, kauth_cred_t cred, struct lwp *l);
 
 int coda_grab_vnode(dev_t dev, ino_t ino, struct vnode **vpp);
 void print_vattr(struct vattr *attr);
-void print_cred(struct ucred *cred);
+void print_cred(kauth_cred_t cred);
diff --git a/sys/compat/common/compat_util.c b/sys/compat/common/compat_util.c
index 692ddfbc4988..933c4c8e83d1 100644
--- a/sys/compat/common/compat_util.c
+++ b/sys/compat/common/compat_util.c
@@ -1,4 +1,4 @@
-/* 	$NetBSD: compat_util.c,v 1.30 2005/12/11 12:19:56 christos Exp $	*/
+/* 	$NetBSD: compat_util.c,v 1.31 2006/05/14 21:24:49 elad Exp $	*/
 
 /*-
  * Copyright (c) 1994 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: compat_util.c,v 1.30 2005/12/11 12:19:56 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: compat_util.c,v 1.31 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -170,10 +170,10 @@ emul_find(l, sgp, prefix, path, pbuf, sflag)
 		if ((error = namei(&ndroot)) != 0)
 			goto bad2;
 
-		if ((error = VOP_GETATTR(nd.ni_vp, &vat, p->p_ucred, l)) != 0)
+		if ((error = VOP_GETATTR(nd.ni_vp, &vat, p->p_cred, l)) != 0)
 			goto bad3;
 
-		if ((error = VOP_GETATTR(ndroot.ni_vp, &vatroot, p->p_ucred, l))
+		if ((error = VOP_GETATTR(ndroot.ni_vp, &vatroot, p->p_cred, l))
 		    != 0)
 			goto bad3;
 
diff --git a/sys/compat/common/kern_info_43.c b/sys/compat/common/kern_info_43.c
index 65e33e705ab7..21d03909e743 100644
--- a/sys/compat/common/kern_info_43.c
+++ b/sys/compat/common/kern_info_43.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_info_43.c,v 1.21 2005/12/11 12:19:56 christos Exp $	*/
+/*	$NetBSD: kern_info_43.c,v 1.22 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1991, 1993
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_info_43.c,v 1.21 2005/12/11 12:19:56 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_info_43.c,v 1.22 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -49,6 +49,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_info_43.c,v 1.21 2005/12/11 12:19:56 christos E
 #include <sys/syslog.h>
 #include <sys/unistd.h>
 #include <sys/resourcevar.h>
+#include <sys/kauth.h>
 
 #include <uvm/uvm_extern.h>
 #include <sys/sysctl.h>
@@ -288,7 +289,7 @@ compat_43_sys_sethostid(struct lwp *l, void *v, register_t *retval)
 	struct proc *p = l->l_proc;
 	int error;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 	hostid = SCARG(uap, hostid);
 	return (0);
diff --git a/sys/compat/common/kern_sig_43.c b/sys/compat/common/kern_sig_43.c
index f05c1cfff4e3..107c29fb1ae5 100644
--- a/sys/compat/common/kern_sig_43.c
+++ b/sys/compat/common/kern_sig_43.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_sig_43.c,v 1.21 2005/12/11 12:19:56 christos Exp $	*/
+/*	$NetBSD: kern_sig_43.c,v 1.22 2006/05/14 21:24:49 elad Exp $	*/
 
 /*-
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_sig_43.c,v 1.21 2005/12/11 12:19:56 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_sig_43.c,v 1.22 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -61,6 +61,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_sig_43.c,v 1.21 2005/12/11 12:19:56 christos Ex
 #include <sys/syslog.h>
 #include <sys/stat.h>
 #include <sys/core.h>
+#include <sys/kauth.h>
 
 #include <sys/mount.h>
 #include <sys/sa.h>
@@ -277,6 +278,6 @@ compat_43_sys_killpg(struct lwp *l, void *v, register_t *retval)
 	ksi.ksi_signo = SCARG(uap, signum);
 	ksi.ksi_code = SI_USER;
 	ksi.ksi_pid = p->p_pid;
-	ksi.ksi_uid = p->p_ucred->cr_uid;
+	ksi.ksi_uid = kauth_cred_geteuid(p->p_cred);
 	return (killpg1(p, &ksi, SCARG(uap, pgid), 0));
 }
diff --git a/sys/compat/common/kern_xxx_12.c b/sys/compat/common/kern_xxx_12.c
index 4050bd882a3c..1e0f61e77f3f 100644
--- a/sys/compat/common/kern_xxx_12.c
+++ b/sys/compat/common/kern_xxx_12.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_xxx_12.c,v 1.6 2005/12/11 12:19:56 christos Exp $	*/
+/*	$NetBSD: kern_xxx_12.c,v 1.7 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -33,7 +33,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_xxx_12.c,v 1.6 2005/12/11 12:19:56 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_xxx_12.c,v 1.7 2006/05/14 21:24:49 elad Exp $");
 
 /*#ifdef COMPAT_12*/
 
@@ -44,6 +44,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_xxx_12.c,v 1.6 2005/12/11 12:19:56 christos Exp
 #include <sys/mount.h>
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
+#include <sys/kauth.h>
 
 /* ARGSUSED */
 int
@@ -55,7 +56,7 @@ compat_12_sys_reboot(struct lwp *l, void *v, register_t *retval)
 	struct proc *p = l->l_proc;
 	int error;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 	cpu_reboot(SCARG(uap, opt), NULL);
 	return (0);
diff --git a/sys/compat/common/vfs_syscalls_20.c b/sys/compat/common/vfs_syscalls_20.c
index 32cb3bf8b6df..df0220e7ce5d 100644
--- a/sys/compat/common/vfs_syscalls_20.c
+++ b/sys/compat/common/vfs_syscalls_20.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_20.c,v 1.7 2006/03/07 03:32:06 thorpej Exp $	*/
+/*	$NetBSD: vfs_syscalls_20.c,v 1.8 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_20.c,v 1.7 2006/03/07 03:32:06 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_20.c,v 1.8 2006/05/14 21:24:49 elad Exp $");
 
 #include "opt_compat_netbsd.h"
 #include "opt_compat_43.h"
@@ -59,6 +59,7 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_20.c,v 1.7 2006/03/07 03:32:06 thorpej
 #include <sys/sysctl.h>
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
+#include <sys/kauth.h>
 
 #include <compat/sys/mount.h>
 
@@ -292,7 +293,7 @@ compat_20_sys_fhstatfs(l, v, retval)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(p->p_ucred, &p->p_acflag)))
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 		return (error);
 
 	if ((error = copyin(SCARG(uap, fhp), &fh, sizeof(fhandle_t))) != 0)
diff --git a/sys/compat/common/vfs_syscalls_30.c b/sys/compat/common/vfs_syscalls_30.c
index 555bf9c325b1..dbb2de0d7123 100644
--- a/sys/compat/common/vfs_syscalls_30.c
+++ b/sys/compat/common/vfs_syscalls_30.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_30.c,v 1.8 2006/05/04 17:48:57 christos Exp $	*/
+/*	$NetBSD: vfs_syscalls_30.c,v 1.9 2006/05/14 21:24:49 elad Exp $	*/
 
 /*-
  * Copyright (c) 2005 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.8 2006/05/04 17:48:57 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.9 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -52,6 +52,7 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.8 2006/05/04 17:48:57 christos
 #include <sys/uio.h>
 #include <sys/dirent.h>
 #include <sys/malloc.h>
+#include <sys/kauth.h>
 
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
@@ -165,7 +166,8 @@ compat_30_sys_fhstat(struct lwp *l, void *v, register_t *retval)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(p->p_ucred, &p->p_acflag)))
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+	    &p->p_acflag)))
 		return (error);
 
 	if ((error = copyin(SCARG(uap, fhp), &fh, sizeof(fhandle_t))) != 0)
diff --git a/sys/compat/darwin/darwin_attr.c b/sys/compat/darwin/darwin_attr.c
index 5cbb39e89603..1120330c6cac 100644
--- a/sys/compat/darwin/darwin_attr.c
+++ b/sys/compat/darwin/darwin_attr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: darwin_attr.c,v 1.9 2005/12/11 12:19:56 christos Exp $ */
+/*	$NetBSD: darwin_attr.c,v 1.10 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2003 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: darwin_attr.c,v 1.9 2005/12/11 12:19:56 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: darwin_attr.c,v 1.10 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -127,7 +127,7 @@ darwin_sys_getattrlist(l, v, retval)
 	struct statfs12 f;
 	struct nameidata nd;
 	struct vnode *vp;
-	struct ucred *cred;
+	kauth_cred_t cred;
 	const char *path;
 	caddr_t sg = stackgap_init(p, 0);
 	int fl;
@@ -198,9 +198,9 @@ darwin_sys_getattrlist(l, v, retval)
 	 * vnode structure
 	 */
 
-	cred = crdup(p->p_ucred);
-	cred->cr_uid = p->p_cred->p_ruid;
-	cred->cr_gid = p->p_cred->p_rgid;
+	cred = kauth_cred_dup(p->p_cred);
+	kauth_cred_seteuid(cred, kauth_cred_getuid(p->p_cred));
+	kauth_cred_setegid(cred, kauth_cred_getgid(p->p_cred));
 
 	NDINIT(&nd, LOOKUP, follow | LOCKLEAF, UIO_USERSPACE, path, l);
 	if ((error = namei(&nd)) != 0)
@@ -800,7 +800,7 @@ darwin_sys_getattrlist(l, v, retval)
 out3:
 	vput(vp);
 out2:
-	crfree(cred);
+	kauth_cred_free(cred);
 	free(tbuf, M_TEMP);
 
 	return error;
diff --git a/sys/compat/darwin/darwin_sysctl.c b/sys/compat/darwin/darwin_sysctl.c
index 52b165b23edf..5f05ebe75c80 100644
--- a/sys/compat/darwin/darwin_sysctl.c
+++ b/sys/compat/darwin/darwin_sysctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: darwin_sysctl.c,v 1.39 2006/03/01 12:38:12 yamt Exp $ */
+/*	$NetBSD: darwin_sysctl.c,v 1.40 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: darwin_sysctl.c,v 1.39 2006/03/01 12:38:12 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: darwin_sysctl.c,v 1.40 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -700,12 +700,12 @@ again:
 			break;
 
 		case DARWIN_KERN_PROC_UID:
-			if (p->p_ucred->cr_uid != (uid_t)arg)
+			if (kauth_cred_geteuid(p->p_cred) != (uid_t)arg)
 				continue;
 			break;
 
 		case DARWIN_KERN_PROC_RUID:
-			if (p->p_cred->p_ruid != (uid_t)arg)
+			if (kauth_cred_getuid(p->p_cred) != (uid_t)arg)
 				continue;
 			break;
 
@@ -813,16 +813,17 @@ darwin_fill_kproc(p, dkp)
 	/* (ptr) */ de->e_paddr = (struct darwin_proc *)p;
 	/* (ptr) */ de->e_sess =
 	    (struct darwin_session *)p->p_session;
-	de->e_pcred.pc_ruid = p->p_cred->p_ruid;
-	de->e_pcred.pc_svuid = p->p_cred->p_svuid;
-	de->e_pcred.pc_rgid = p->p_cred->p_rgid;
-	de->e_pcred.pc_svgid = p->p_cred->p_svgid;
-	de->e_pcred.pc_refcnt = p->p_cred->p_refcnt;
-	de->e_ucred.cr_ref = p->p_ucred->cr_ref;
-	de->e_ucred.cr_uid = p->p_ucred->cr_uid;
-	de->e_ucred.cr_ngroups = p->p_ucred->cr_ngroups;
-	(void)memcpy(de->e_ucred.cr_groups,
-	    p->p_ucred->cr_groups, sizeof(gid_t) * DARWIN_NGROUPS);
+	de->e_pcred.pc_ruid = kauth_cred_getuid(p->p_cred);
+	de->e_pcred.pc_svuid = kauth_cred_getsvuid(p->p_cred);
+	de->e_pcred.pc_rgid = kauth_cred_getgid(p->p_cred);
+	de->e_pcred.pc_svgid = kauth_cred_getsvgid(p->p_cred);
+	de->e_pcred.pc_refcnt = kauth_cred_getrefcnt(p->p_cred);
+	/* XXX elad ? de->e_ucred.cr_ref = p->p_ucred->cr_ref; */
+	/* XXX elad ? de->e_ucred.cr_ref = kauth_cred_getrefcnt(p->p_cred); */
+	de->e_ucred.cr_uid = kauth_cred_geteuid(p->p_cred);
+	de->e_ucred.cr_ngroups = kauth_cred_ngroups(p->p_cred);
+	kauth_cred_getgroups(p->p_cred, de->e_ucred.cr_groups,
+	    sizeof(de->e_ucred.cr_groups) / sizeof(de->e_ucred.cr_groups[0]));
 	de->e_vm.vm_refcnt = p->p_vmspace->vm_refcnt;
 	de->e_vm.vm_rssize = p->p_vmspace->vm_rssize;
 	de->e_vm.vm_swrss = p->p_vmspace->vm_swrss;
@@ -930,9 +931,9 @@ darwin_sysctl_procargs(SYSCTLFN_ARGS)
 		return (EINVAL);
 
 	/* only root or same user change look at the environment */
-	if (up->p_ucred->cr_uid != 0) {
-		if (up->p_cred->p_ruid != p->p_cred->p_ruid ||
-		    up->p_cred->p_ruid != p->p_cred->p_svuid)
+	if (kauth_cred_geteuid(up->p_cred) != 0) {
+		if (kauth_cred_getuid(up->p_cred) != kauth_cred_getuid(p->p_cred) ||
+		    kauth_cred_getuid(up->p_cred) != kauth_cred_getsvuid(p->p_cred))
 			return (EPERM);
 	}
 
diff --git a/sys/compat/freebsd/freebsd_sched.c b/sys/compat/freebsd/freebsd_sched.c
index 7f7416623a6b..19c3f0eb7f45 100644
--- a/sys/compat/freebsd/freebsd_sched.c
+++ b/sys/compat/freebsd/freebsd_sched.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: freebsd_sched.c,v 1.2 2003/01/18 07:33:16 thorpej Exp $	*/
+/*	$NetBSD: freebsd_sched.c,v 1.3 2006/05/14 21:24:49 elad Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -42,13 +42,14 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: freebsd_sched.c,v 1.2 2003/01/18 07:33:16 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: freebsd_sched.c,v 1.3 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/syscallargs.h>
+#include <sys/kauth.h>
 
 #include <machine/cpu.h>
 
@@ -91,16 +92,16 @@ freebsd_sys_sched_setparam(l, v, retval)
 		return error;
 
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = l->l_proc->p_cred;
+		kauth_cred_t pc = l->l_proc->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(l->l_proc == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
@@ -128,16 +129,16 @@ freebsd_sys_sched_getparam(l, v, retval)
 		return EINVAL;
 
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = l->l_proc->p_cred;
+		kauth_cred_t pc = l->l_proc->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(l->l_proc == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
@@ -171,16 +172,16 @@ freebsd_sys_sched_setscheduler(l, v, retval)
 		return error;
 
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = l->l_proc->p_cred;
+		kauth_cred_t pc = l->l_proc->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(l->l_proc == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
@@ -210,16 +211,16 @@ freebsd_sys_sched_getscheduler(l, v, retval)
 	 * We only check for valid parameters and return afterwards.
 	 */
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = l->l_proc->p_cred;
+		kauth_cred_t pc = l->l_proc->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(l->l_proc == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
diff --git a/sys/compat/freebsd/freebsd_syscallargs.h b/sys/compat/freebsd/freebsd_syscallargs.h
index 81df2ea5100f..a58885e99308 100644
--- a/sys/compat/freebsd/freebsd_syscallargs.h
+++ b/sys/compat/freebsd/freebsd_syscallargs.h
@@ -1,4 +1,4 @@
-/* $NetBSD: freebsd_syscallargs.h,v 1.64 2006/05/04 17:50:28 christos Exp $ */
+/* $NetBSD: freebsd_syscallargs.h,v 1.65 2006/05/14 21:24:49 elad Exp $ */
 
 /*
  * System call argument lists.
diff --git a/sys/compat/hpux/hpux_compat.c b/sys/compat/hpux/hpux_compat.c
index 0134e28e5de9..57d4053cfeab 100644
--- a/sys/compat/hpux/hpux_compat.c
+++ b/sys/compat/hpux/hpux_compat.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: hpux_compat.c,v 1.73 2005/12/11 12:20:02 christos Exp $	*/
+/*	$NetBSD: hpux_compat.c,v 1.74 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1990, 1993
@@ -82,7 +82,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hpux_compat.c,v 1.73 2005/12/11 12:20:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hpux_compat.c,v 1.74 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_sysv.h"
@@ -545,7 +545,7 @@ hpux_sys_ulimit(l, v, retval)
 	case 2:
 		SCARG(uap, newlimit) *= 512;
 		if (SCARG(uap, newlimit) > limp->rlim_max &&
-		    (error = suser(p->p_ucred, &p->p_acflag)))
+		    (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 			break;
 		limp->rlim_cur = limp->rlim_max = SCARG(uap, newlimit);
 		/* else fall into... */
@@ -936,7 +936,8 @@ hpux_sys_getpgrp2(lp, v, retval)
 	p = pfind(SCARG(uap, pid));
 	if (p == 0)
 		return (ESRCH);
-	if (cp->p_ucred->cr_uid && p->p_ucred->cr_uid != cp->p_ucred->cr_uid &&
+	if (kauth_cred_geteuid(cp->p_cred) &&
+	    kauth_cred_geteuid(p->p_cred) != kauth_cred_geteuid(cp->p_cred) &&
 	    !inferior(p, cp))
 		return (EPERM);
 	*retval = p->p_pgid;
@@ -1050,19 +1051,20 @@ hpux_sys_getaccess(l, v, retval)
 	struct hpux_sys_getaccess_args *uap = v;
 	int lgroups[NGROUPS];
 	int error = 0;
-	struct ucred *cred;
+	kauth_cred_t cred;
 	struct vnode *vp;
 	struct nameidata nd;
+	gid_t gid;
 
 	/*
 	 * Build an appropriate credential structure
 	 */
-	cred = crdup(p->p_ucred);
+	cred = kauth_cred_dup(p->p_cred);
 	switch (SCARG(uap, uid)) {
 	case 65502:	/* UID_EUID */
 		break;
 	case 65503:	/* UID_RUID */
-		cred->cr_uid = p->p_cred->p_ruid;
+		kauth_cred_seteuid(cred, kauth_cred_getuid(p->p_cred));
 		break;
 	case 65504:	/* UID_SUID */
 		error = EINVAL;
@@ -1070,29 +1072,31 @@ hpux_sys_getaccess(l, v, retval)
 	default:
 		if (SCARG(uap, uid) > 65504)
 			error = EINVAL;
-		cred->cr_uid = SCARG(uap, uid);
+		kauth_cred_seteuid(cred, SCARG(uap, uid));
 		break;
 	}
 	switch (SCARG(uap, ngroups)) {
 	case -1:	/* NGROUPS_EGID */
-		cred->cr_ngroups = 1;
+		gid = kauth_cred_getegid(cred);
+		kauth_cred_setgroups(cred, &gid, 1, -1);
 		break;
 	case -5:	/* NGROUPS_EGID_SUPP */
 		break;
 	case -2:	/* NGROUPS_RGID */
-		cred->cr_ngroups = 1;
-		cred->cr_gid = p->p_cred->p_rgid;
+		kauth_cred_setegid(cred, kauth_cred_getgid(p->p_cred));
+		gid = kauth_cred_geteuid(gid);
+		kauth_cred_setgroups(cred, &gid, 1, -1);
 		break;
 	case -6:	/* NGROUPS_RGID_SUPP */
-		cred->cr_gid = p->p_cred->p_rgid;
+		kauth_cred_setegid(cred, kauth_cred_getgid(p->p_cred));
 		break;
 	case -3:	/* NGROUPS_SGID */
 	case -7:	/* NGROUPS_SGID_SUPP */
 		error = EINVAL;
 		break;
 	case -4:	/* NGROUPS_SUPP */
-		if (cred->cr_ngroups > 1)
-			cred->cr_gid = cred->cr_groups[1];
+		if (kauth_cred_ngroups(cred) > 1)
+			kauth_cred_setegid(cred, kauth_cred_group(cred, 1));
 		else
 			error = EINVAL;
 		break;
@@ -1104,13 +1108,8 @@ hpux_sys_getaccess(l, v, retval)
 					   sizeof(lgroups[0]));
 		else
 			error = EINVAL;
-		if (error == 0) {
-			int gid;
-
-			for (gid = 0; gid < SCARG(uap, ngroups); gid++)
-				cred->cr_groups[gid] = lgroups[gid];
-			cred->cr_ngroups = SCARG(uap, ngroups);
-		}
+		if (error == 0)
+			kauth_cred_setgroups(cred, lgroups, ngroups, -1);
 		break;
 	}
 	/*
@@ -1122,7 +1121,7 @@ hpux_sys_getaccess(l, v, retval)
 		error = namei(&nd);
 	}
 	if (error) {
-		crfree(cred);
+		kauth_cred_free(cred);
 		return (error);
 	}
 	/*
@@ -1137,7 +1136,7 @@ hpux_sys_getaccess(l, v, retval)
 	if (VOP_ACCESS(vp, VEXEC, cred, l) == 0)
 		*retval |= X_OK;
 	vput(vp);
-	crfree(cred);
+	kauth_cred_free(cred);
 	return (error);
 }
 
@@ -1203,7 +1202,7 @@ hpux_sys_stime_6x(l, v, retval)
 
 	tv.tv_sec = SCARG(uap, time);
 	tv.tv_usec = 0;
-	if ((error = suser(p->p_ucred, &p->p_acflag)))
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 		return (error);
 
 	/* WHAT DO WE DO ABOUT PENDING REAL-TIME TIMEOUTS??? */
diff --git a/sys/compat/ibcs2/ibcs2_exec_coff.c b/sys/compat/ibcs2/ibcs2_exec_coff.c
index 481c3c5e7a15..b84b3b3f564b 100644
--- a/sys/compat/ibcs2/ibcs2_exec_coff.c
+++ b/sys/compat/ibcs2/ibcs2_exec_coff.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_coff.c,v 1.15 2005/12/11 12:20:02 christos Exp $	*/
+/*	$NetBSD: ibcs2_exec_coff.c,v 1.16 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.15 2005/12/11 12:20:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.16 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -332,7 +332,7 @@ coff_find_section(l, vp, fp, sh, s_type)
 	for (i = 0; i < fp->f_nscns; i++, pos += sizeof(struct coff_scnhdr)) {
 		siz = sizeof(struct coff_scnhdr);
 		error = vn_rdwr(UIO_READ, vp, (caddr_t) sh,
-		    siz, pos, UIO_SYSSPACE, IO_NODELOCKED, l->l_proc->p_ucred,
+		    siz, pos, UIO_SYSSPACE, IO_NODELOCKED, l->l_proc->p_cred,
 		    &resid, NULL);
 		if (error) {
 			DPRINTF(("section hdr %d read error %d\n", i, error));
@@ -460,7 +460,7 @@ exec_ibcs2_coff_prep_zmagic(l, epp, fp, ap)
 
 		error = vn_rdwr(UIO_READ, epp->ep_vp, tbuf,
 				len, sh.s_scnptr,
-				UIO_SYSSPACE, IO_NODELOCKED, l->l_proc->p_ucred,
+				UIO_SYSSPACE, IO_NODELOCKED, l->l_proc->p_cred,
 				&resid, NULL);
 		if (error) {
 			DPRINTF(("shlib section read error %d\n", error));
@@ -553,7 +553,7 @@ coff_load_shlib(l, path, epp)
 
 	siz = sizeof(struct coff_filehdr);
 	error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t) fhp, siz, 0,
-	    UIO_SYSSPACE, IO_NODELOCKED, p->p_ucred, &resid, l);
+	    UIO_SYSSPACE, IO_NODELOCKED, p->p_cred, &resid, l);
 	if (error) {
 	    DPRINTF(("filehdr read error %d\n", error));
 	    vrele(nd.ni_vp);
diff --git a/sys/compat/ibcs2/ibcs2_exec_xout.c b/sys/compat/ibcs2/ibcs2_exec_xout.c
index 0d8fd225f144..79078deb18dd 100644
--- a/sys/compat/ibcs2/ibcs2_exec_xout.c
+++ b/sys/compat/ibcs2/ibcs2_exec_xout.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_xout.c,v 1.11 2005/12/11 12:20:02 christos Exp $	*/
+/*	$NetBSD: ibcs2_exec_xout.c,v 1.12 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_xout.c,v 1.11 2005/12/11 12:20:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_xout.c,v 1.12 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -124,7 +124,7 @@ exec_ibcs2_xout_prep_nmagic(l, epp, xp, xep)
 	xs = (struct xseg *)malloc(segsize, M_TEMP, M_WAITOK);
 	error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t)xs,
 			segsize, xep->xe_segpos,
-			UIO_SYSSPACE, IO_NODELOCKED, l->l_proc->p_ucred,
+			UIO_SYSSPACE, IO_NODELOCKED, l->l_proc->p_cred,
 			&resid, NULL);
 	if (error) {
 		DPRINTF(("segment table read error %d\n", error));
diff --git a/sys/compat/ibcs2/ibcs2_fcntl.c b/sys/compat/ibcs2/ibcs2_fcntl.c
index 953972abe151..63c0ddf60460 100644
--- a/sys/compat/ibcs2/ibcs2_fcntl.c
+++ b/sys/compat/ibcs2/ibcs2_fcntl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_fcntl.c,v 1.20 2005/12/11 12:20:02 christos Exp $	*/
+/*	$NetBSD: ibcs2_fcntl.c,v 1.21 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1995 Scott Bartram
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_fcntl.c,v 1.20 2005/12/11 12:20:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_fcntl.c,v 1.21 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -43,6 +43,7 @@ __KERNEL_RCSID(0, "$NetBSD: ibcs2_fcntl.c,v 1.20 2005/12/11 12:20:02 christos Ex
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
 #include <sys/vnode.h>
+#include <sys/kauth.h>
 
 #include <compat/ibcs2/ibcs2_types.h>
 #include <compat/ibcs2/ibcs2_fcntl.h>
@@ -250,7 +251,7 @@ ibcs2_sys_eaccess(l, v, retval)
 		syscallarg(int) flags;
 	} */ *uap = v;
 	struct proc *p = l->l_proc;
-	struct ucred *cred = p->p_ucred;
+	kauth_cred_t cred = p->p_cred;
 	struct vnode *vp;
         int error, flags;
         struct nameidata nd;
diff --git a/sys/compat/ibcs2/ibcs2_misc.c b/sys/compat/ibcs2/ibcs2_misc.c
index ec7fa941eee2..c9401c8b5b99 100644
--- a/sys/compat/ibcs2/ibcs2_misc.c
+++ b/sys/compat/ibcs2/ibcs2_misc.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_misc.c,v 1.77 2006/03/01 12:38:12 yamt Exp $	*/
+/*	$NetBSD: ibcs2_misc.c,v 1.78 2006/05/14 21:24:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -95,7 +95,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_misc.c,v 1.77 2006/03/01 12:38:12 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_misc.c,v 1.78 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -123,6 +123,7 @@ __KERNEL_RCSID(0, "$NetBSD: ibcs2_misc.c,v 1.77 2006/03/01 12:38:12 yamt Exp $")
 #include <sys/wait.h>
 #include <sys/utsname.h>
 #include <sys/unistd.h>
+#include <sys/kauth.h>
 
 #include <netinet/in.h>
 #include <sys/sa.h>
@@ -1207,7 +1208,7 @@ ibcs2_sys_plock(l, v, retval)
 #define IBCS2_DATALOCK	4
 
 
-        if (suser(p->p_ucred, &p->p_acflag) != 0)
+        if (kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag) != 0)
                 return EPERM;
 	switch(SCARG(uap, cmd)) {
 	case IBCS2_UNLOCK:
@@ -1252,7 +1253,7 @@ ibcs2_sys_uadmin(l, v, retval)
 #define SCO_AD_GETCMAJ      1
 
 	/* XXX: is this the right place for this call? */
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	switch(SCARG(uap, cmd)) {
diff --git a/sys/compat/irix/irix_fcntl.c b/sys/compat/irix/irix_fcntl.c
index e5d646084d6c..00550f8035e6 100644
--- a/sys/compat/irix/irix_fcntl.c
+++ b/sys/compat/irix/irix_fcntl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: irix_fcntl.c,v 1.14 2005/12/11 12:20:12 christos Exp $ */
+/*	$NetBSD: irix_fcntl.c,v 1.15 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2001-2002 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: irix_fcntl.c,v 1.14 2005/12/11 12:20:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: irix_fcntl.c,v 1.15 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/signal.h>
@@ -267,7 +267,7 @@ fd_truncate(l, fd, whence, start, retval)
 		break;
 
 	case SEEK_END:
-		if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, l)) != 0)
+		if ((error = VOP_GETATTR(vp, &vattr, p->p_cred, l)) != 0)
 			return error;
 		SCARG(&ft, length) = vattr.va_size + start;
 		break;
diff --git a/sys/compat/irix/irix_ioctl.c b/sys/compat/irix/irix_ioctl.c
index f3dd0a3eb5a8..616900d72b85 100644
--- a/sys/compat/irix/irix_ioctl.c
+++ b/sys/compat/irix/irix_ioctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: irix_ioctl.c,v 1.8 2005/12/11 12:20:12 christos Exp $ */
+/*	$NetBSD: irix_ioctl.c,v 1.9 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: irix_ioctl.c,v 1.8 2005/12/11 12:20:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: irix_ioctl.c,v 1.9 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/proc.h>
@@ -171,7 +171,7 @@ out:
 			error = EINVAL;
 			break;
 		case VBLK:
-			error = VOP_GETATTR(vp, &vattr, p->p_ucred, l);
+			error = VOP_GETATTR(vp, &vattr, p->p_cred, l);
 			if (error == 0) {
 				val = vattr.va_blocksize / 512;
 				error = copyout(&val, data, sizeof(int));
diff --git a/sys/compat/irix/irix_mman.c b/sys/compat/irix/irix_mman.c
index f8d2899a26d4..7643c016353f 100644
--- a/sys/compat/irix/irix_mman.c
+++ b/sys/compat/irix/irix_mman.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: irix_mman.c,v 1.10 2005/12/11 12:20:12 christos Exp $ */
+/*	$NetBSD: irix_mman.c,v 1.11 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: irix_mman.c,v 1.10 2005/12/11 12:20:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: irix_mman.c,v 1.11 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_sysv.h"
@@ -199,17 +199,17 @@ irix_mmap(l, addr, len, prot, flags, fd, pos, retval)
 			goto out;
 		}
 
-		if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, l)) != 0)
+		if ((error = VOP_GETATTR(vp, &vattr, p->p_cred, l)) != 0)
 			goto out;
 
 		if (pos + len > vattr.va_size) {
 			VATTR_NULL(&vattr);
 			vattr.va_size = round_page(pos + len);
 
-			VOP_LEASE(vp, l, p->p_ucred, LEASE_WRITE);
+			VOP_LEASE(vp, l, p->p_cred, LEASE_WRITE);
 			vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
 
-			error = VOP_SETATTR(vp, &vattr, p->p_ucred, l);
+			error = VOP_SETATTR(vp, &vattr, p->p_cred, l);
 
 			VOP_UNLOCK(vp, 0);
 		}
diff --git a/sys/compat/irix/irix_mount.c b/sys/compat/irix/irix_mount.c
index 479c5c28f3ee..b50f3321168f 100644
--- a/sys/compat/irix/irix_mount.c
+++ b/sys/compat/irix/irix_mount.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: irix_mount.c,v 1.10 2005/12/11 12:20:12 christos Exp $ */
+/*	$NetBSD: irix_mount.c,v 1.11 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: irix_mount.c,v 1.10 2005/12/11 12:20:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: irix_mount.c,v 1.11 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/signal.h>
@@ -68,7 +68,7 @@ irix_sys_getmountid(l, v, retval)
 	} */ *uap = v;
 	struct proc *p = l->l_proc;
 	caddr_t sg = stackgap_init(p, 0);
-	struct ucred *cred;
+	kauth_cred_t cred;
 	struct vnode *vp;
 	int error = 0;
 	struct nameidata nd;
@@ -77,9 +77,9 @@ irix_sys_getmountid(l, v, retval)
 
 	CHECK_ALT_EXIST(l, &sg, SCARG(uap, path));
 
-	cred = crdup(p->p_ucred);
-	cred->cr_uid = p->p_cred->p_ruid;
-	cred->cr_gid = p->p_cred->p_rgid;
+	cred = kauth_cred_dup(p->p_cred);
+	kauth_cred_seteuid(cred, kauth_cred_getuid(p->p_cred));
+	kauth_cred_setegid(cred, kauth_cred_getgid(p->p_cred));
 
 	/* Get the vnode for the requested path */
 	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
diff --git a/sys/compat/irix/irix_prctl.c b/sys/compat/irix/irix_prctl.c
index 459e5284ab50..b729e7a75b5b 100644
--- a/sys/compat/irix/irix_prctl.c
+++ b/sys/compat/irix/irix_prctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: irix_prctl.c,v 1.29 2006/03/20 13:14:37 drochner Exp $ */
+/*	$NetBSD: irix_prctl.c,v 1.30 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2001-2002 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: irix_prctl.c,v 1.29 2006/03/20 13:14:37 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: irix_prctl.c,v 1.30 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/errno.h>
 #include <sys/types.h>
@@ -172,7 +172,7 @@ irix_sys_prctl(l, v, retval)
 		pid_t pid = (pid_t)SCARG(uap, arg1);
 		struct irix_emuldata *ied;
 		struct proc *target;
-		struct pcred *pc;
+		kauth_cred_t pc;
 
 		if (pid == 0)
 			pid = p->p_pid;
@@ -184,11 +184,11 @@ irix_sys_prctl(l, v, retval)
 			return 0;
 
 		pc = p->p_cred;
-		if (!(pc->pc_ucred->cr_uid == 0 || \
-		    pc->p_ruid == target->p_cred->p_ruid || \
-		    pc->pc_ucred->cr_uid == target->p_cred->p_ruid || \
-		    pc->p_ruid == target->p_ucred->cr_uid || \
-		    pc->pc_ucred->cr_uid == target->p_ucred->cr_uid))
+		if (!(kauth_cred_geteuid(pc) == 0 || \
+		    kauth_cred_getuid(pc) == kauth_cred_getuid(target->p_cred) || \
+		    kauth_cred_geteuid(pc) == kauth_cred_getuid(target->p_cred) || \
+		    kauth_cred_getuid(pc) == kauth_cred_geteuid(target->p_cred) || \
+		    kauth_cred_geteuid(pc) == kauth_cred_geteuid(target->p_cred)))
 			return EPERM;
 
 		ied = (struct irix_emuldata *)(target->p_emuldata);
@@ -422,7 +422,7 @@ irix_sproc_child(isc)
 	struct proc *parent = lparent->l_proc;
 	struct frame *tf = (struct frame *)l2->l_md.md_regs;
 	struct frame *ptf = (struct frame *)lparent->l_md.md_regs;
-	struct pcred *pc;
+	kauth_cred_t pc;
 	struct plimit *pl;
 	struct irix_emuldata *ied;
 	struct irix_emuldata *parent_ied;
@@ -486,12 +486,9 @@ irix_sproc_child(isc)
 	 */
 	if (inh & IRIX_PR_SID) {
 		pc = p2->p_cred;
-		parent->p_cred->p_refcnt++;
+		kauth_cred_hold(parent->p_cred);
 		p2->p_cred = parent->p_cred;
-		if (--pc->p_refcnt == 0) {
-			crfree(pc->pc_ucred);
-			pool_put(&pcred_pool, pc);
-		}
+		kauth_cred_free(pc);
 	}
 
 	/*
@@ -572,7 +569,7 @@ irix_sys_procblk(l, v, retval)
 	struct irix_emuldata *iedp;
 	struct irix_share_group *isg;
 	struct proc *target;
-	struct pcred *pc;
+	kauth_cred_t pc;
 	int oldcount;
 	struct lwp *ied_lwp;
 	int error, last_error;
@@ -584,11 +581,11 @@ irix_sys_procblk(l, v, retval)
 
 	/* May we stop it? */
 	pc = p->p_cred;
-	if (!(pc->pc_ucred->cr_uid == 0 || \
-	    pc->p_ruid == target->p_cred->p_ruid || \
-	    pc->pc_ucred->cr_uid == target->p_cred->p_ruid || \
-	    pc->p_ruid == target->p_ucred->cr_uid || \
-	    pc->pc_ucred->cr_uid == target->p_ucred->cr_uid))
+	if (!(kauth_cred_geteuid(pc) == 0 || \
+	    kauth_cred_getuid(pc) == kauth_cred_getuid(target->p_cred) || \
+	    kauth_cred_geteuid(pc) == kauth_cred_getuid(target->p_cred) || \
+	    kauth_cred_getuid(pc) == kauth_cred_geteuid(target->p_cred) || \
+	    kauth_cred_geteuid(pc) == kauth_cred_geteuid(target->p_cred)))
 		return EPERM;
 
 	/* Is it an IRIX process? */
diff --git a/sys/compat/irix/irix_usema.c b/sys/compat/irix/irix_usema.c
index 27e1bcd15df3..c18e5c592327 100644
--- a/sys/compat/irix/irix_usema.c
+++ b/sys/compat/irix/irix_usema.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: irix_usema.c,v 1.14 2005/12/11 12:20:12 christos Exp $ */
+/*	$NetBSD: irix_usema.c,v 1.15 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: irix_usema.c,v 1.14 2005/12/11 12:20:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: irix_usema.c,v 1.15 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -180,7 +180,7 @@ irix_usema_ioctl(v)
 		u_long a_command;
 		caddr_t  a_data;
 		int  a_fflag;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		struct lwp *a_l;
 	} */ *ap = v;
 	u_long cmd = ap->a_command;
@@ -299,7 +299,7 @@ irix_usema_close(v)
 	struct vop_close_args /* {
 		struct vnode *a_vp;
 		int  a_fflag;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		struct lwp *a_l;
 	} */ *ap = v;
 	struct vnode *vp = ap->a_vp;
@@ -343,7 +343,7 @@ irix_usema_setattr(v)
 	struct vop_setattr_args /* {
 		struct vnode    *a_vp;
 		struct vattr    *a_vap;
-		struct ucred    *a_cred;
+		kauth_cred_t	 a_cred;
 		struct lwp      *a_l;
 	} */ *ap = v;
 	struct vnode *vp = (struct vnode *)(ap->a_vp->v_data);
diff --git a/sys/compat/linux/arch/alpha/linux_machdep.c b/sys/compat/linux/arch/alpha/linux_machdep.c
index 359b95e7de67..2cb2009db7d2 100644
--- a/sys/compat/linux/arch/alpha/linux_machdep.c
+++ b/sys/compat/linux/arch/alpha/linux_machdep.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_machdep.c,v 1.32 2005/12/11 12:20:12 christos Exp $	*/
+/*	$NetBSD: linux_machdep.c,v 1.33 2006/05/14 21:24:49 elad Exp $	*/
 
 /*-
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -42,7 +42,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.32 2005/12/11 12:20:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.33 2006/05/14 21:24:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -185,7 +185,7 @@ setup_linux_rt_sigframe(struct trapframe *tf, int sig, const sigset_t *mask)
 	sigframe.info.lsi_signo = sig;
 	sigframe.info.lsi_code = LINUX_SI_USER;
 	sigframe.info.lsi_pid = p->p_pid;
-	sigframe.info.lsi_uid = p->p_ucred->cr_uid;	/* Use real uid here? */
+	sigframe.info.lsi_uid = kauth_cred_geteuid(p->p_cred);	/* Use real uid here? */
 
 	if (copyout((caddr_t)&sigframe, (caddr_t)sfp, fsize) != 0) {
 #ifdef DEBUG
diff --git a/sys/compat/linux/arch/amd64/linux_exec_machdep.c b/sys/compat/linux/arch/amd64/linux_exec_machdep.c
index ec607a53695c..f343ca8ea8f9 100644
--- a/sys/compat/linux/arch/amd64/linux_exec_machdep.c
+++ b/sys/compat/linux/arch/amd64/linux_exec_machdep.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_exec_machdep.c,v 1.5 2005/12/16 14:16:14 christos Exp $ */
+/*	$NetBSD: linux_exec_machdep.c,v 1.6 2006/05/14 21:24:49 elad Exp $ */
 
 /*-
  * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_exec_machdep.c,v 1.5 2005/12/16 14:16:14 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_exec_machdep.c,v 1.6 2006/05/14 21:24:49 elad Exp $");
 
 #ifdef __amd64__
 #define ELFSIZE 64
@@ -206,17 +206,17 @@ ELFNAME2(linux,copyargs)(l, pack, arginfo, stackp, argp)
 
 	esd.ai[i].a_type = LINUX_AT_EGID;
 	esd.ai[i++].a_v =
-	    ((vap->va_mode & S_ISGID) ? vap->va_gid : p->p_ucred->cr_gid);
+	    ((vap->va_mode & S_ISGID) ? vap->va_gid : kauth_cred_getegid(p->p_cred));
 
 	esd.ai[i].a_type = LINUX_AT_GID;
-	esd.ai[i++].a_v = p->p_cred->p_rgid;
+	esd.ai[i++].a_v = kauth_cred_getgid(p->p_cred);
 
 	esd.ai[i].a_type = LINUX_AT_EUID;
 	esd.ai[i++].a_v = 
-	    ((vap->va_mode & S_ISUID) ? vap->va_uid : p->p_ucred->cr_uid);
+	    ((vap->va_mode & S_ISUID) ? vap->va_uid : kauth_cred_geteuid(p->p_cred));
 
 	esd.ai[i].a_type = LINUX_AT_UID;
-	esd.ai[i++].a_v = p->p_cred->p_ruid;
+	esd.ai[i++].a_v = kauth_cred_getuid(p->p_cred);
 
 	esd.ai[i].a_type = LINUX_AT_SECURE;
 	esd.ai[i++].a_v = 0;
diff --git a/sys/compat/linux/arch/i386/linux_machdep.c b/sys/compat/linux/arch/i386/linux_machdep.c
index 9893b8df371a..b4a68a70edf8 100644
--- a/sys/compat/linux/arch/i386/linux_machdep.c
+++ b/sys/compat/linux/arch/i386/linux_machdep.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_machdep.c,v 1.112 2005/12/11 12:20:14 christos Exp $	*/
+/*	$NetBSD: linux_machdep.c,v 1.113 2006/05/14 21:24:49 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 2000 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.112 2005/12/11 12:20:14 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.113 2006/05/14 21:24:49 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_vm86.h"
@@ -69,6 +69,8 @@ __KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.112 2005/12/11 12:20:14 christos
 #include <sys/disklabel.h>
 #include <sys/ioctl.h>
 #include <sys/wait.h>
+#include <sys/kauth.h>
+
 #include <miscfs/specfs/specdev.h>
 
 #include <compat/linux/common/linux_types.h>
@@ -1139,7 +1141,7 @@ linux_sys_iopl(l, v, retval)
 	struct proc *p = l->l_proc;
 	struct trapframe *fp = l->l_md.md_regs;
 
-	if (suser(p->p_ucred, &p->p_acflag) != 0)
+	if (kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag) != 0)
 		return EPERM;
 	fp->tf_eflags |= PSL_IOPL;
 	*retval = 0;
@@ -1164,7 +1166,7 @@ linux_sys_ioperm(l, v, retval)
 	struct proc *p = l->l_proc;
 	struct trapframe *fp = l->l_md.md_regs;
 
-	if (suser(p->p_ucred, &p->p_acflag) != 0)
+	if (kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag) != 0)
 		return EPERM;
 	if (SCARG(uap, val))
 		fp->tf_eflags |= PSL_IOPL;
diff --git a/sys/compat/linux/arch/m68k/linux_machdep.c b/sys/compat/linux/arch/m68k/linux_machdep.c
index 9a78ef273f6c..3bc3064c794d 100644
--- a/sys/compat/linux/arch/m68k/linux_machdep.c
+++ b/sys/compat/linux/arch/m68k/linux_machdep.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_machdep.c,v 1.25 2005/12/24 22:59:39 perry Exp $	*/
+/*	$NetBSD: linux_machdep.c,v 1.26 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.25 2005/12/24 22:59:39 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.26 2006/05/14 21:24:50 elad Exp $");
 
 #define COMPAT_LINUX 1
 
@@ -405,7 +405,7 @@ setup_linux_rt_sigframe(frame, sig, mask, usp, l)
 	kf.sf_info.lsi_signo = sig;
 	kf.sf_info.lsi_code = LINUX_SI_USER;
 	kf.sf_info.lsi_pid = p->p_pid;
-	kf.sf_info.lsi_uid = p->p_ucred->cr_uid;	/* Use real uid here? */
+	kf.sf_info.lsi_uid = kauth_cred_geteuid(p->p_cred);	/* Use real uid here? */
 
 	/* Build the signal context to be used by sigreturn. */
 	native_to_linux_sigset(&kf.sf_uc.uc_sigmask, mask);
@@ -847,7 +847,7 @@ linux_sys_cacheflush(l, v, retval)
 	 * LINUX_FLUSH_SCOPE_ALL (flush whole cache) is limited to super users.
 	 */
 	if (scope == LINUX_FLUSH_SCOPE_ALL) {
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			return error;
 #if defined(M68040) || defined(M68060)
 		/* entire cache */
diff --git a/sys/compat/linux/arch/mips/linux_machdep.c b/sys/compat/linux/arch/mips/linux_machdep.c
index a2a873c788ea..d78d34224f27 100644
--- a/sys/compat/linux/arch/mips/linux_machdep.c
+++ b/sys/compat/linux/arch/mips/linux_machdep.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_machdep.c,v 1.24 2005/12/11 12:20:16 christos Exp $ */
+/*	$NetBSD: linux_machdep.c,v 1.25 2006/05/14 21:24:50 elad Exp $ */
 
 /*-
  * Copyright (c) 1995, 2000, 2001 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.24 2005/12/11 12:20:16 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.25 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -428,7 +428,7 @@ linux_sys_sysmips(l, v, retval)
 		int name[2];
 		size_t len;
 
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			return error;
 		if ((error = copyinstr((char *)SCARG(uap, arg1), nodename,
 		    LINUX___NEW_UTS_LEN, &len)) != 0)
diff --git a/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c b/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c
index cda1cb0defb7..17694fe95f6b 100644
--- a/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c
+++ b/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_exec_powerpc.c,v 1.17 2005/12/11 12:20:16 christos Exp $ */
+/* $NetBSD: linux_exec_powerpc.c,v 1.18 2006/05/14 21:24:50 elad Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_exec_powerpc.c,v 1.17 2005/12/11 12:20:16 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_exec_powerpc.c,v 1.18 2006/05/14 21:24:50 elad Exp $");
 
 #if defined (__alpha__)
 #define ELFSIZE 64
@@ -128,19 +128,19 @@ ELFNAME2(linux,copyargs)(l, pack, arginfo, stackp, argp)
 		 * Why can't we use them too?
 		 */
 		a->a_type = LINUX_AT_EGID;
-		a->a_v = p->p_ucred->cr_gid;
+		a->a_v = kauth_cred_getegid(p->p_cred);
 		a++;
 
 		a->a_type = LINUX_AT_GID;
-		a->a_v = p->p_cred->p_rgid;
+		a->a_v = kauth_cred_getgid(p->p_cred);
 		a++;
 
 		a->a_type = LINUX_AT_EUID;
-		a->a_v = p->p_ucred->cr_uid;
+		a->a_v = kauth_cred_geteuid(p->p_cred);
 		a++;
 
 		a->a_type = LINUX_AT_UID;
-		a->a_v = p->p_cred->p_ruid;
+		a->a_v = kauth_cred_getuid(p->p_cred);
 		a++;
 #endif
 
diff --git a/sys/compat/linux/common/linux_exec_elf32.c b/sys/compat/linux/common/linux_exec_elf32.c
index 720baeeb9afd..5a1e3ac06057 100644
--- a/sys/compat/linux/common/linux_exec_elf32.c
+++ b/sys/compat/linux/common/linux_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_exec_elf32.c,v 1.71 2006/02/09 19:18:56 manu Exp $	*/
+/*	$NetBSD: linux_exec_elf32.c,v 1.72 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998, 2000, 2001 The NetBSD Foundation, Inc.
@@ -42,7 +42,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.71 2006/02/09 19:18:56 manu Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.72 2006/05/14 21:24:50 elad Exp $");
 
 #ifndef ELFSIZE
 /* XXX should die */
@@ -60,6 +60,7 @@ __KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.71 2006/02/09 19:18:56 manu E
 #include <sys/exec.h>
 #include <sys/exec_elf.h>
 #include <sys/stat.h>
+#include <sys/kauth.h>
 
 #include <sys/mman.h>
 #include <sys/sa.h>
@@ -397,25 +398,25 @@ ELFNAME2(linux,copyargs)(struct lwp *l, struct exec_package *pack,
 	vap = pack->ep_vap;
 
 	a->a_type = LINUX_AT_UID;
-	a->a_v = p->p_cred->p_ruid;
+	a->a_v = kauth_cred_getuid(p->p_cred);
 	a++;
 
 	a->a_type = LINUX_AT_EUID;
 	if (vap->va_mode & S_ISUID)
 		a->a_v = vap->va_uid;
 	else
-		a->a_v = p->p_ucred->cr_uid;
+		a->a_v = kauth_cred_geteuid(p->p_cred);
 	a++;
 
 	a->a_type = LINUX_AT_GID;
-	a->a_v = p->p_cred->p_rgid;
+	a->a_v = kauth_cred_getgid(p->p_cred);
 	a++;
 
 	a->a_type = LINUX_AT_EGID;
 	if (vap->va_mode & S_ISGID)
 		a->a_v = vap->va_gid;
 	else
-		a->a_v = p->p_ucred->cr_gid;
+		a->a_v = kauth_cred_getegid(p->p_cred);
 	a++;
 
 	a->a_type = AT_NULL;
diff --git a/sys/compat/linux/common/linux_file.c b/sys/compat/linux/common/linux_file.c
index 3fc23e0366d1..113367aaed74 100644
--- a/sys/compat/linux/common/linux_file.c
+++ b/sys/compat/linux/common/linux_file.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_file.c,v 1.71 2005/12/11 12:20:19 christos Exp $	*/
+/*	$NetBSD: linux_file.c,v 1.72 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc.
@@ -42,7 +42,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_file.c,v 1.71 2005/12/11 12:20:19 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_file.c,v 1.72 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -443,7 +443,7 @@ linux_sys_fcntl(l, v, retval)
 			break;
 		}
 
-		error = VOP_GETATTR(vp, &va, p->p_ucred, l);
+		error = VOP_GETATTR(vp, &va, p->p_cred, l);
 
 		FILE_UNUSE(fp, l);
 
diff --git a/sys/compat/linux/common/linux_file64.c b/sys/compat/linux/common/linux_file64.c
index 6eeb26417789..1510261202b8 100644
--- a/sys/compat/linux/common/linux_file64.c
+++ b/sys/compat/linux/common/linux_file64.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_file64.c,v 1.32 2006/03/01 12:38:12 yamt Exp $	*/
+/*	$NetBSD: linux_file64.c,v 1.33 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998, 2000 The NetBSD Foundation, Inc.
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_file64.c,v 1.32 2006/03/01 12:38:12 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_file64.c,v 1.33 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -440,7 +440,7 @@ linux_sys_getdents64(l, v, retval)
 		goto out1;
 	}
 
-	if ((error = VOP_GETATTR(vp, &va, p->p_ucred, l)))
+	if ((error = VOP_GETATTR(vp, &va, p->p_cred, l)))
 		goto out1;
 
 	nbytes = SCARG(uap, count);
diff --git a/sys/compat/linux/common/linux_ioctl.c b/sys/compat/linux/common/linux_ioctl.c
index 30b3cdd7c494..b13384f68399 100644
--- a/sys/compat/linux/common/linux_ioctl.c
+++ b/sys/compat/linux/common/linux_ioctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_ioctl.c,v 1.43 2005/12/11 12:20:19 christos Exp $	*/
+/*	$NetBSD: linux_ioctl.c,v 1.44 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_ioctl.c,v 1.43 2005/12/11 12:20:19 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_ioctl.c,v 1.44 2006/05/14 21:24:50 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "sequencer.h"
@@ -136,7 +136,7 @@ linux_sys_ioctl(l, v, retval)
 		if (fp->f_type == DTYPE_VNODE &&
 		    (vp = (struct vnode *)fp->f_data) != NULL &&
 		    vp->v_type == VCHR &&
-		    VOP_GETATTR(vp, &va, p->p_ucred, l) == 0 &&
+		    VOP_GETATTR(vp, &va, p->p_cred, l) == 0 &&
 		    cdevsw_lookup(va.va_rdev) == &sequencer_cdevsw) {
 			error = oss_ioctl_sequencer(l, (void*)LINUX_TO_OSS(uap),
 						   retval);
diff --git a/sys/compat/linux/common/linux_misc.c b/sys/compat/linux/common/linux_misc.c
index 58417623ae86..22fedcdb0a18 100644
--- a/sys/compat/linux/common/linux_misc.c
+++ b/sys/compat/linux/common/linux_misc.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_misc.c,v 1.153 2006/05/10 11:05:34 yamt Exp $	*/
+/*	$NetBSD: linux_misc.c,v 1.154 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998, 1999 The NetBSD Foundation, Inc.
@@ -64,7 +64,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_misc.c,v 1.153 2006/05/10 11:05:34 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_misc.c,v 1.154 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -95,6 +95,7 @@ __KERNEL_RCSID(0, "$NetBSD: linux_misc.c,v 1.153 2006/05/10 11:05:34 yamt Exp $"
 #include <sys/unistd.h>
 #include <sys/swap.h>		/* for SWAP_ON */
 #include <sys/sysctl.h>		/* for KERN_DOMAINNAME */
+#include <sys/kauth.h>
 
 #include <sys/ptrace.h>
 #include <machine/ptrace.h>
@@ -859,7 +860,7 @@ linux_sys_getdents(l, v, retval)
 		goto out1;
 	}
 
-	if ((error = VOP_GETATTR(vp, &va, p->p_ucred, l)))
+	if ((error = VOP_GETATTR(vp, &va, p->p_cred, l)))
 		goto out1;
 
 	nbytes = SCARG(uap, count);
@@ -1244,7 +1245,7 @@ linux_sys_getgroups16(l, v, retval)
 	struct sys_getgroups_args bsa;
 	gid_t *bset, *kbset;
 	linux_gid_t *lset;
-	struct pcred *pc = p->p_cred;
+	kauth_cred_t pc = p->p_cred;
 
 	n = SCARG(uap, gidsetsize);
 	if (n < 0)
@@ -1253,7 +1254,7 @@ linux_sys_getgroups16(l, v, retval)
 	bset = kbset = NULL;
 	lset = NULL;
 	if (n > 0) {
-		n = min(pc->pc_ucred->cr_ngroups, n);
+		n = min(kauth_cred_ngroups(pc), n);
 		sg = stackgap_init(p, 0);
 		bset = stackgap_alloc(p, &sg, n * sizeof (gid_t));
 		kbset = malloc(n * sizeof (gid_t), M_TEMP, M_WAITOK);
@@ -1276,7 +1277,7 @@ linux_sys_getgroups16(l, v, retval)
 		error = copyout(lset, SCARG(uap, gidset),
 		    n * sizeof (linux_gid_t));
 	} else
-		*retval = pc->pc_ucred->cr_ngroups;
+		*retval = kauth_cred_ngroups(pc);
 out:
 	if (kbset != NULL)
 		free(kbset, M_TEMP);
@@ -1356,7 +1357,7 @@ linux_sys_setfsuid(l, v, retval)
 	 uid_t uid;
 
 	 uid = SCARG(uap, uid);
-	 if (p->p_cred->p_ruid != uid)
+	 if (kauth_cred_getuid(p->p_cred) != uid)
 		 return sys_nosys(l, v, retval);
 	 else
 		 return (0);
@@ -1411,8 +1412,9 @@ linux_sys_getresuid(l, v, retval)
 		syscallarg(uid_t *) suid;
 	} */ *uap = v;
 	struct proc *p = l->l_proc;
-	struct pcred *pc = p->p_cred;
+	kauth_cred_t pc = p->p_cred;
 	int error;
+	uid_t uid;
 
 	/*
 	 * Linux copies these values out to userspace like so:
@@ -1421,15 +1423,17 @@ linux_sys_getresuid(l, v, retval)
 	 *	2. If that succeeds, copy out euid.
 	 *	3. If both of those succeed, copy out suid.
 	 */
-	if ((error = copyout(&pc->p_ruid, SCARG(uap, ruid),
-			     sizeof(uid_t))) != 0)
+	uid = kauth_cred_getuid(pc);
+	if ((error = copyout(&uid, SCARG(uap, ruid), sizeof(uid_t))) != 0)
 		return (error);
 
-	if ((error = copyout(&pc->pc_ucred->cr_uid, SCARG(uap, euid),
-			     sizeof(uid_t))) != 0)
+	uid = kauth_cred_geteuid(pc);
+	if ((error = copyout(&uid, SCARG(uap, euid), sizeof(uid_t))) != 0)
 		return (error);
 
-	return (copyout(&pc->p_svuid, SCARG(uap, suid), sizeof(uid_t)));
+	uid = kauth_cred_getsvuid(pc);
+
+	return (copyout(&uid, SCARG(uap, suid), sizeof(uid_t)));
 }
 
 int
@@ -1508,7 +1512,7 @@ linux_sys_reboot(struct lwp *l, void *v, register_t *retval)
 	struct proc *p = l->l_proc;
 	int error;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return(error);
 
 	if (SCARG(uap, magic1) != LINUX_REBOOT_MAGIC1)
diff --git a/sys/compat/linux/common/linux_misc_notalpha.c b/sys/compat/linux/common/linux_misc_notalpha.c
index 5b7fc7c52db5..59fe98e09b2c 100644
--- a/sys/compat/linux/common/linux_misc_notalpha.c
+++ b/sys/compat/linux/common/linux_misc_notalpha.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_misc_notalpha.c,v 1.78 2006/05/10 11:05:34 yamt Exp $	*/
+/*	$NetBSD: linux_misc_notalpha.c,v 1.79 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_misc_notalpha.c,v 1.78 2006/05/10 11:05:34 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_misc_notalpha.c,v 1.79 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -54,6 +54,7 @@ __KERNEL_RCSID(0, "$NetBSD: linux_misc_notalpha.c,v 1.78 2006/05/10 11:05:34 yam
 #include <sys/resourcevar.h>
 #include <sys/time.h>
 #include <sys/wait.h>
+#include <sys/kauth.h>
 
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
@@ -360,8 +361,9 @@ linux_sys_getresgid(l, v, retval)
 		syscallarg(gid_t *) sgid;
 	} */ *uap = v;
 	struct proc *p = l->l_proc;
-	struct pcred *pc = p->p_cred;
+	kauth_cred_t pc = p->p_cred;
 	int error;
+	gid_t gid;
 
 	/*
 	 * Linux copies these values out to userspace like so:
@@ -370,15 +372,17 @@ linux_sys_getresgid(l, v, retval)
 	 *	2. If that succeeds, copy out egid.
 	 *	3. If both of those succeed, copy out sgid.
 	 */
-	if ((error = copyout(&pc->p_rgid, SCARG(uap, rgid),
-			     sizeof(gid_t))) != 0)
+	gid = kauth_cred_getgid(pc);
+	if ((error = copyout(&gid, SCARG(uap, rgid), sizeof(gid_t))) != 0)
 		return (error);
 
-	if ((error = copyout(&pc->pc_ucred->cr_gid, SCARG(uap, egid),
-			     sizeof(gid_t))) != 0)
+	gid = kauth_cred_getegid(pc);
+	if ((error = copyout(&gid, SCARG(uap, egid), sizeof(gid_t))) != 0)
 		return (error);
 
-	return (copyout(&pc->p_svgid, SCARG(uap, sgid), sizeof(gid_t)));
+	gid = kauth_cred_getsvgid(pc);
+
+	return (copyout(&gid, SCARG(uap, sgid), sizeof(gid_t)));
 }
 
 #ifndef __amd64__
@@ -400,7 +404,7 @@ linux_sys_stime(l, v, retval)
 	linux_time_t tt;
 	int error;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	if ((error = copyin(&tt, SCARG(uap, t), sizeof tt)) != 0)
diff --git a/sys/compat/linux/common/linux_sched.c b/sys/compat/linux/common/linux_sched.c
index 398a4417aa42..824d8a452bc1 100644
--- a/sys/compat/linux/common/linux_sched.c
+++ b/sys/compat/linux/common/linux_sched.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_sched.c,v 1.29 2005/11/29 22:31:59 jdolecek Exp $	*/
+/*	$NetBSD: linux_sched.c,v 1.30 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -42,7 +42,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_sched.c,v 1.29 2005/11/29 22:31:59 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_sched.c,v 1.30 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/mount.h>
@@ -53,6 +53,7 @@ __KERNEL_RCSID(0, "$NetBSD: linux_sched.c,v 1.29 2005/11/29 22:31:59 jdolecek Ex
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
 #include <sys/wait.h>
+#include <sys/kauth.h>
 
 #include <machine/cpu.h>
 
@@ -198,16 +199,16 @@ linux_sys_sched_setparam(cl, v, retval)
 		return error;
 
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = cp->p_cred;
+		kauth_cred_t pc = cp->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(cp == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
@@ -235,16 +236,16 @@ linux_sys_sched_getparam(cl, v, retval)
 		return EINVAL;
 
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = cp->p_cred;
+		kauth_cred_t pc = cp->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(cp == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
@@ -280,16 +281,16 @@ linux_sys_sched_setscheduler(cl, v, retval)
 		return error;
 
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = cp->p_cred;
+		kauth_cred_t pc = cp->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(cp == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
@@ -320,16 +321,16 @@ linux_sys_sched_getscheduler(cl, v, retval)
  */
 
 	if (SCARG(uap, pid) != 0) {
-		struct pcred *pc = cp->p_cred;
+		kauth_cred_t pc = cp->p_cred;
 
 		if ((p = pfind(SCARG(uap, pid))) == NULL)
 			return ESRCH;
 		if (!(cp == p ||
-		      pc->pc_ucred->cr_uid == 0 ||
-		      pc->p_ruid == p->p_cred->p_ruid ||
-		      pc->pc_ucred->cr_uid == p->p_cred->p_ruid ||
-		      pc->p_ruid == p->p_ucred->cr_uid ||
-		      pc->pc_ucred->cr_uid == p->p_ucred->cr_uid))
+		      kauth_cred_geteuid(pc) == 0 ||
+		      kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
+		      kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
+		      kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
 			return EPERM;
 	}
 
diff --git a/sys/compat/linux/common/linux_socket.c b/sys/compat/linux/common/linux_socket.c
index 2436b422d250..15c00141fa90 100644
--- a/sys/compat/linux/common/linux_socket.c
+++ b/sys/compat/linux/common/linux_socket.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_socket.c,v 1.61 2006/05/12 01:58:55 mrg Exp $	*/
+/*	$NetBSD: linux_socket.c,v 1.62 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc.
@@ -42,7 +42,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_socket.c,v 1.61 2006/05/12 01:58:55 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_socket.c,v 1.62 2006/05/14 21:24:50 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -74,6 +74,7 @@ __KERNEL_RCSID(0, "$NetBSD: linux_socket.c,v 1.61 2006/05/12 01:58:55 mrg Exp $"
 #include <sys/mbuf.h>
 #include <sys/syslog.h>
 #include <sys/exec.h>
+#include <sys/kauth.h>
 
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
@@ -1529,8 +1530,7 @@ linux_sa_get(l, s, sgp, sap, osa, osalen)
 		     !IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))) {
 			sin6->sin6_scope_id = 0;
 		} else {
-			int uid = p->p_cred && p->p_ucred ?
-					p->p_ucred->cr_uid : -1;
+			int uid = p->p_cred ? kauth_cred_geteuid(p->p_cred) : -1;
 
 			log(LOG_DEBUG,
 			    "pid %d (%s), uid %d: obsolete pre-RFC2553 "
diff --git a/sys/compat/linux/common/linux_uselib.c b/sys/compat/linux/common/linux_uselib.c
index c51f59fed4fe..bc66ac55e46d 100644
--- a/sys/compat/linux/common/linux_uselib.c
+++ b/sys/compat/linux/common/linux_uselib.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_uselib.c,v 1.14 2005/12/11 12:20:19 christos Exp $	*/
+/*	$NetBSD: linux_uselib.c,v 1.15 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_uselib.c,v 1.14 2005/12/11 12:20:19 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_uselib.c,v 1.15 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -118,7 +118,7 @@ linux_sys_uselib(l, v, retval)
 	vp = ni.ni_vp;
 
 	if ((error = vn_rdwr(UIO_READ, vp, (caddr_t) &hdr, LINUX_AOUT_HDR_SIZE,
-			     0, UIO_SYSSPACE, IO_NODELOCKED, p->p_ucred,
+			     0, UIO_SYSSPACE, IO_NODELOCKED, p->p_cred,
 			     &rem, NULL))) {
 		vrele(vp);
 		return error;
diff --git a/sys/compat/linux32/common/linux32_exec_elf32.c b/sys/compat/linux32/common/linux32_exec_elf32.c
index c2bf3916a6bf..8e66d63cd60c 100644
--- a/sys/compat/linux32/common/linux32_exec_elf32.c
+++ b/sys/compat/linux32/common/linux32_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux32_exec_elf32.c,v 1.1 2006/02/09 19:18:57 manu Exp $ */
+/*	$NetBSD: linux32_exec_elf32.c,v 1.2 2006/05/14 21:24:50 elad Exp $ */
 
 /*-                     
  * Copyright (c) 1995, 1998, 2000, 2001,2006 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux32_exec_elf32.c,v 1.1 2006/02/09 19:18:57 manu Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_exec_elf32.c,v 1.2 2006/05/14 21:24:50 elad Exp $");
 
 #define	ELFSIZE		32
 
@@ -218,17 +218,17 @@ linux32_elf32_copyargs(struct lwp *l, struct exec_package *pack,
 
 	esd.ai[i].a_type = LINUX_AT_EGID;
 	esd.ai[i++].a_v =
-	    ((vap->va_mode & S_ISGID) ? vap->va_gid : p->p_ucred->cr_gid);
+	    ((vap->va_mode & S_ISGID) ? vap->va_gid : kauth_cred_getegid(p->p_cred));
 
 	esd.ai[i].a_type = LINUX_AT_GID;
-	esd.ai[i++].a_v = p->p_cred->p_rgid;
+	esd.ai[i++].a_v = kauth_cred_getgid(p->p_cred);
 
 	esd.ai[i].a_type = LINUX_AT_EUID;
 	esd.ai[i++].a_v = 
-	    ((vap->va_mode & S_ISUID) ? vap->va_uid : p->p_ucred->cr_uid);
+	    ((vap->va_mode & S_ISUID) ? vap->va_uid : kauth_cred_geteuid(p->p_cred));
 
 	esd.ai[i].a_type = LINUX_AT_UID;
-	esd.ai[i++].a_v = p->p_cred->p_ruid;
+	esd.ai[i++].a_v = kauth_cred_getuid(p->p_cred);
 
 	esd.ai[i].a_type = LINUX_AT_SECURE;
 	esd.ai[i++].a_v = 0;
diff --git a/sys/compat/linux32/common/linux32_misc.c b/sys/compat/linux32/common/linux32_misc.c
index fdbe93bef1ef..4bd78f867aa0 100644
--- a/sys/compat/linux32/common/linux32_misc.c
+++ b/sys/compat/linux32/common/linux32_misc.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux32_misc.c,v 1.1 2006/02/09 19:18:57 manu Exp $ */
+/*	$NetBSD: linux32_misc.c,v 1.2 2006/05/14 21:24:50 elad Exp $ */
 
 /*-
  * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
 
 #include <sys/cdefs.h>
 
-__KERNEL_RCSID(0, "$NetBSD: linux32_misc.c,v 1.1 2006/02/09 19:18:57 manu Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_misc.c,v 1.2 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1382,7 +1382,7 @@ linux32_sys_stime(l, v, retval)
 	linux32_time_t tt32;
 	int error;
 	
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return error;
 
 	if ((error = copyin(&tt32, 
diff --git a/sys/compat/linux32/common/linux32_time.c b/sys/compat/linux32/common/linux32_time.c
index 105ec1861a8a..674612abd5f3 100644
--- a/sys/compat/linux32/common/linux32_time.c
+++ b/sys/compat/linux32/common/linux32_time.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux32_time.c,v 1.2 2006/02/24 06:39:47 manu Exp $ */
+/*	$NetBSD: linux32_time.c,v 1.3 2006/05/14 21:24:50 elad Exp $ */
 
 /*-
  * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
 
 #include <sys/cdefs.h>
 
-__KERNEL_RCSID(0, "$NetBSD: linux32_time.c,v 1.2 2006/02/24 06:39:47 manu Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_time.c,v 1.3 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -201,7 +201,7 @@ linux32_sys_stime(l, v, retval)
 	linux32_time_t tt32;
 	int error;
 	
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return error;
 
 	if ((error = copyin(&tt32, 
diff --git a/sys/compat/mach/mach_task.c b/sys/compat/mach/mach_task.c
index ce27fc03e67b..9d740933aac2 100644
--- a/sys/compat/mach/mach_task.c
+++ b/sys/compat/mach/mach_task.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: mach_task.c,v 1.56 2006/03/07 03:32:06 thorpej Exp $ */
+/*	$NetBSD: mach_task.c,v 1.57 2006/05/14 21:24:50 elad Exp $ */
 
 /*-
  * Copyright (c) 2002-2003 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
 #include "opt_compat_darwin.h"
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mach_task.c,v 1.56 2006/03/07 03:32:06 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mach_task.c,v 1.57 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -681,9 +681,9 @@ mach_sys_task_for_pid(l, v, retval)
 		return ESRCH;
 
 	/* Allowed only if the UID match, if setuid, or if superuser */
-	if ((t->p_cred->p_ruid != p->p_cred->p_ruid ||
+	if ((kauth_cred_getuid(t->p_cred) != kauth_cred_getuid(p->p_cred) ||
 		ISSET(t->p_flag, P_SUGID)) &&
-		    (error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		    (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			    return (error);
 
 	/* This will only work on a Mach process */
diff --git a/sys/compat/ndis/subr_pe.c b/sys/compat/ndis/subr_pe.c
index 3ee1a76f6bef..294d94a15208 100644
--- a/sys/compat/ndis/subr_pe.c
+++ b/sys/compat/ndis/subr_pe.c
@@ -35,7 +35,7 @@
 __FBSDID("$FreeBSD: src/sys/compat/ndis/subr_pe.c,v 1.7.2.3 2005/03/31 04:24:36 wpaul Exp $");
 #endif
 #ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: subr_pe.c,v 1.3 2006/03/31 00:03:57 rittera Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_pe.c,v 1.4 2006/05/14 21:24:50 elad Exp $");
 #endif
 
 
diff --git a/sys/compat/netbsd32/netbsd32_compat_30.c b/sys/compat/netbsd32/netbsd32_compat_30.c
index d73fe9faecba..77f1a0abeb68 100644
--- a/sys/compat/netbsd32/netbsd32_compat_30.c
+++ b/sys/compat/netbsd32/netbsd32_compat_30.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_compat_30.c,v 1.6 2006/05/05 13:31:30 cube Exp $	*/
+/*	$NetBSD: netbsd32_compat_30.c,v 1.7 2006/05/14 21:24:50 elad Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_30.c,v 1.6 2006/05/05 13:31:30 cube Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_30.c,v 1.7 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -50,6 +50,7 @@ __KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_30.c,v 1.6 2006/05/05 13:31:30 cube
 #include <sys/syscallargs.h>
 #include <sys/proc.h>
 #include <sys/dirent.h>
+#include <sys/kauth.h>
 
 #include <compat/netbsd32/netbsd32.h>
 #include <compat/netbsd32/netbsd32_syscallargs.h>
@@ -216,7 +217,8 @@ compat_30_netbsd32_fhstat(l, v, retval)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(p->p_ucred, &p->p_acflag)))
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+	    &p->p_acflag)))
 		return (error);
 
 	if ((error = copyin(NETBSD32PTR64(SCARG(uap, fhp)), &fh,
diff --git a/sys/compat/netbsd32/netbsd32_exec_elf32.c b/sys/compat/netbsd32/netbsd32_exec_elf32.c
index e5410c4d4e74..993c26fe705a 100644
--- a/sys/compat/netbsd32/netbsd32_exec_elf32.c
+++ b/sys/compat/netbsd32/netbsd32_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_exec_elf32.c,v 1.24 2005/12/27 00:36:00 cube Exp $	*/
+/*	$NetBSD: netbsd32_exec_elf32.c,v 1.25 2006/05/14 21:24:50 elad Exp $	*/
 /*	from: NetBSD: exec_aout.c,v 1.15 1996/09/26 23:34:46 cgd Exp */
 
 /*
@@ -59,7 +59,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_elf32.c,v 1.24 2005/12/27 00:36:00 cube Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_elf32.c,v 1.25 2006/05/14 21:24:50 elad Exp $");
 
 #define	ELFSIZE		32
 
@@ -73,6 +73,7 @@ __KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_elf32.c,v 1.24 2005/12/27 00:36:00 cub
 #include <sys/resourcevar.h>
 #include <sys/signal.h>
 #include <sys/signalvar.h>
+#include <sys/kauth.h>
 
 #include <compat/netbsd32/netbsd32.h>
 #include <compat/netbsd32/netbsd32_exec.h>
@@ -180,19 +181,19 @@ netbsd32_elf32_copyargs(struct lwp *l, struct exec_package *pack,
 		a++;
 
 		a->a_type = AT_EUID;
-		a->a_v = p->p_ucred->cr_uid;
+		a->a_v = kauth_cred_geteuid(p->p_cred);
 		a++;
 
 		a->a_type = AT_RUID;
-		a->a_v = p->p_cred->p_ruid;
+		a->a_v = kauth_cred_getuid(p->p_cred);
 		a++;
 
 		a->a_type = AT_EGID;
-		a->a_v = p->p_ucred->cr_gid;
+		a->a_v = kauth_cred_getegid(p->p_cred);
 		a++;
 
 		a->a_type = AT_RGID;
-		a->a_v = p->p_cred->p_rgid;
+		a->a_v = kauth_cred_getgid(p->p_cred);
 		a++;
 
 		free((char *)ap, M_TEMP);
diff --git a/sys/compat/netbsd32/netbsd32_fs.c b/sys/compat/netbsd32/netbsd32_fs.c
index d385636f5a62..1d1541bd073b 100644
--- a/sys/compat/netbsd32/netbsd32_fs.c
+++ b/sys/compat/netbsd32/netbsd32_fs.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_fs.c,v 1.26 2006/05/05 13:31:30 cube Exp $	*/
+/*	$NetBSD: netbsd32_fs.c,v 1.27 2006/05/14 21:24:50 elad Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_fs.c,v 1.26 2006/05/05 13:31:30 cube Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_fs.c,v 1.27 2006/05/14 21:24:50 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_ktrace.h"
@@ -54,6 +54,7 @@ __KERNEL_RCSID(0, "$NetBSD: netbsd32_fs.c,v 1.26 2006/05/05 13:31:30 cube Exp $"
 #include <sys/syscallargs.h>
 #include <sys/proc.h>
 #include <sys/dirent.h>
+#include <sys/kauth.h>
 
 #include <compat/netbsd32/netbsd32.h>
 #include <compat/netbsd32/netbsd32_syscallargs.h>
@@ -365,13 +366,13 @@ change_utimes32(vp, tptr, l)
 		netbsd32_to_timeval(&tv32[0], &tv[0]);
 		netbsd32_to_timeval(&tv32[1], &tv[1]);
 	}
-	VOP_LEASE(vp, l, p->p_ucred, LEASE_WRITE);
+	VOP_LEASE(vp, l, p->p_cred, LEASE_WRITE);
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
 	vattr.va_atime.tv_sec = tv[0].tv_sec;
 	vattr.va_atime.tv_nsec = tv[0].tv_usec * 1000;
 	vattr.va_mtime.tv_sec = tv[1].tv_sec;
 	vattr.va_mtime.tv_nsec = tv[1].tv_usec * 1000;
-	error = VOP_SETATTR(vp, &vattr, p->p_ucred, l);
+	error = VOP_SETATTR(vp, &vattr, p->p_cred, l);
 	VOP_UNLOCK(vp, 0);
 	return (error);
 }
@@ -556,7 +557,7 @@ netbsd32_fhstatvfs1(l, v, retval)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return error;
 
 	if ((error = copyin((caddr_t)NETBSD32PTR64(SCARG(uap, fhp)), &fh,
@@ -790,7 +791,8 @@ int netbsd32_sys___fhstat30(l, v, retval)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(p->p_ucred, &p->p_acflag)))
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+	    &p->p_acflag)))
 		return (error);
 
 	if ((error = copyin(NETBSD32PTR64(SCARG(uap, fhp)), &fh,
diff --git a/sys/compat/netbsd32/netbsd32_netbsd.c b/sys/compat/netbsd32/netbsd32_netbsd.c
index d7a2613ae8d8..1b8664d6bf69 100644
--- a/sys/compat/netbsd32/netbsd32_netbsd.c
+++ b/sys/compat/netbsd32/netbsd32_netbsd.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_netbsd.c,v 1.103 2006/05/11 00:59:10 mrg Exp $	*/
+/*	$NetBSD: netbsd32_netbsd.c,v 1.104 2006/05/14 21:24:50 elad Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_netbsd.c,v 1.103 2006/05/11 00:59:10 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_netbsd.c,v 1.104 2006/05/14 21:24:50 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_ddb.h"
@@ -75,6 +75,7 @@ __KERNEL_RCSID(0, "$NetBSD: netbsd32_netbsd.c,v 1.103 2006/05/11 00:59:10 mrg Ex
 #include <sys/filedesc.h>
 #include <sys/namei.h>
 #include <sys/dirent.h>
+#include <sys/kauth.h>
 
 #include <uvm/uvm_extern.h>
 
@@ -967,21 +968,25 @@ netbsd32_getgroups(l, v, retval)
 		syscallarg(int) gidsetsize;
 		syscallarg(netbsd32_gid_tp) gidset;
 	} */ *uap = v;
-	struct pcred *pc = l->l_proc->p_cred;
+	kauth_cred_t pc = l->l_proc->p_cred;
 	int ngrp;
 	int error;
+	gid_t *grbuf;
 
 	ngrp = SCARG(uap, gidsetsize);
 	if (ngrp == 0) {
-		*retval = pc->pc_ucred->cr_ngroups;
+		*retval = kauth_cred_ngroups(pc);
 		return (0);
 	}
-	if (ngrp < pc->pc_ucred->cr_ngroups)
+	if (ngrp < kauth_cred_ngroups(pc))
 		return (EINVAL);
-	ngrp = pc->pc_ucred->cr_ngroups;
+	ngrp = kauth_cred_ngroups(pc);
 	/* Should convert gid_t to netbsd32_gid_t, but they're the same */
-	error = copyout((caddr_t)pc->pc_ucred->cr_groups,
-	    (caddr_t)NETBSD32PTR64(SCARG(uap, gidset)), ngrp * sizeof(gid_t));
+	grbuf = malloc(ngrp * sizeof(*grbuf), M_TEMP, M_WAITOK);
+	kauth_cred_getgroups(pc, grbuf, ngrp);
+	error = copyout(grbuf, (caddr_t)NETBSD32PTR64(SCARG(uap, gidset)),
+			ngrp * sizeof(*grbuf));
+	free(grbuf, M_TEMP);
 	if (error)
 		return (error);
 	*retval = ngrp;
diff --git a/sys/compat/netbsd32/netbsd32_time.c b/sys/compat/netbsd32/netbsd32_time.c
index 6f85eb70500b..7dd7f316b0db 100644
--- a/sys/compat/netbsd32/netbsd32_time.c
+++ b/sys/compat/netbsd32/netbsd32_time.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_time.c,v 1.19 2006/02/17 15:44:17 he Exp $	*/
+/*	$NetBSD: netbsd32_time.c,v 1.20 2006/05/14 21:24:50 elad Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_time.c,v 1.19 2006/02/17 15:44:17 he Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_time.c,v 1.20 2006/05/14 21:24:50 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_ntp.h"
@@ -45,6 +45,7 @@ __KERNEL_RCSID(0, "$NetBSD: netbsd32_time.c,v 1.19 2006/02/17 15:44:17 he Exp $"
 #include <sys/pool.h>
 #include <sys/resourcevar.h>
 #include <sys/dirent.h>
+#include <sys/kauth.h>
 
 #include <compat/netbsd32/netbsd32.h>
 #include <compat/netbsd32/netbsd32_syscallargs.h>
@@ -195,7 +196,7 @@ netbsd32_ntp_adjtime(l, v, retval)
 	 * the assumption the superuser should know what it is doing.
 	 */
 	modes = ntv.modes;
-	if (modes != 0 && (error = suser(p->p_ucred, &p->p_acflag)))
+	if (modes != 0 && (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 		return (error);
 
 	s = splclock();
@@ -407,7 +408,7 @@ netbsd32_settimeofday(l, v, retval)
 	struct proc *p = l->l_proc;
 
 	/* Verify all parameters before changing time. */
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return error;
 
 	/*
@@ -447,7 +448,7 @@ netbsd32_adjtime(l, v, retval)
 	extern long bigadj, timedelta;
 	extern int tickdelta;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	error = copyin((caddr_t)NETBSD32PTR64(SCARG(uap, delta)), &atv,
@@ -532,7 +533,7 @@ netbsd32_clock_settime(l, v, retval)
 	int error;
 	struct proc *p = l->l_proc;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	clock_id = SCARG(uap, clock_id);
diff --git a/sys/compat/osf1/osf1_exec_ecoff.c b/sys/compat/osf1/osf1_exec_ecoff.c
index d88c287ad916..8b8b5a25714f 100644
--- a/sys/compat/osf1/osf1_exec_ecoff.c
+++ b/sys/compat/osf1/osf1_exec_ecoff.c
@@ -1,4 +1,4 @@
-/* $NetBSD: osf1_exec_ecoff.c,v 1.12 2005/12/11 12:20:23 christos Exp $ */
+/* $NetBSD: osf1_exec_ecoff.c,v 1.13 2006/05/14 21:24:50 elad Exp $ */
 
 /*
  * Copyright (c) 1999 Christopher G. Demetriou.  All rights reserved.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: osf1_exec_ecoff.c,v 1.12 2005/12/11 12:20:23 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: osf1_exec_ecoff.c,v 1.13 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -237,7 +237,7 @@ osf1_exec_ecoff_dynamic(struct lwp *l, struct exec_package *epp)
 		goto badunlock;
 	}
 
-	if ((error = VOP_ACCESS(ldr_vp, VEXEC, p->p_ucred, l)) != 0)
+	if ((error = VOP_ACCESS(ldr_vp, VEXEC, p->p_cred, l)) != 0)
 		goto badunlock;
 
         if (ldr_vp->v_mount->mnt_flag & MNT_NOEXEC) {
@@ -258,7 +258,7 @@ osf1_exec_ecoff_dynamic(struct lwp *l, struct exec_package *epp)
 	 * read the header, and make sure we got all of it.
 	 */
         if ((error = vn_rdwr(UIO_READ, ldr_vp, (caddr_t)&ldr_exechdr,
-	    sizeof ldr_exechdr, 0, UIO_SYSSPACE, 0, p->p_ucred,
+	    sizeof ldr_exechdr, 0, UIO_SYSSPACE, 0, p->p_cred,
 	    &resid, NULL)) != 0)
                 goto bad;
         if (resid != 0) {
diff --git a/sys/compat/ossaudio/ossaudio.c b/sys/compat/ossaudio/ossaudio.c
index b7d7cdd96670..be9e9416346e 100644
--- a/sys/compat/ossaudio/ossaudio.c
+++ b/sys/compat/ossaudio/ossaudio.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ossaudio.c,v 1.50 2006/03/04 11:17:08 xtraeme Exp $	*/
+/*	$NetBSD: ossaudio.c,v 1.51 2006/05/14 21:24:50 elad Exp $	*/
 
 /*-
  * Copyright (c) 1997 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ossaudio.c,v 1.50 2006/03/04 11:17:08 xtraeme Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ossaudio.c,v 1.51 2006/05/14 21:24:50 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/proc.h>
@@ -643,7 +643,7 @@ getdevinfo(fp, l)
 	vp = (struct vnode *)fp->f_data;
 	if (vp->v_type != VCHR)
 		return 0;
-	if (VOP_GETATTR(vp, &va, p->p_ucred, l))
+	if (VOP_GETATTR(vp, &va, p->p_cred, l))
 		return 0;
 	if (di->done && di->dev == va.va_rdev)
 		return di;
diff --git a/sys/compat/pecoff/pecoff_exec.c b/sys/compat/pecoff/pecoff_exec.c
index 5692b2eefa33..e22b62ab9b35 100644
--- a/sys/compat/pecoff/pecoff_exec.c
+++ b/sys/compat/pecoff/pecoff_exec.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: pecoff_exec.c,v 1.30 2006/05/11 17:17:00 mrg Exp $	*/
+/*	$NetBSD: pecoff_exec.c,v 1.31 2006/05/14 21:25:21 elad Exp $	*/
 
 /*
  * Copyright (c) 2000 Masaru OKI
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pecoff_exec.c,v 1.30 2006/05/11 17:17:00 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pecoff_exec.c,v 1.31 2006/05/14 21:25:21 elad Exp $");
 
 /*#define DEBUG_PECOFF*/
 
@@ -195,11 +195,11 @@ pecoff_load_file(l, epp, path, vcset, entry, argp)
 		error = EACCES;
 		goto badunlock;
 	}
-	if ((error = VOP_ACCESS(vp, VEXEC, l->l_proc->p_ucred, l)) != 0)
+	if ((error = VOP_ACCESS(vp, VEXEC, l->l_proc->p_cred, l)) != 0)
 		goto badunlock;
 
 	/* get attributes */
-	if ((error = VOP_GETATTR(vp, &attr, l->l_proc->p_ucred, l)) != 0)
+	if ((error = VOP_GETATTR(vp, &attr, l->l_proc->p_cred, l)) != 0)
 		goto badunlock;
 
 	/*
diff --git a/sys/compat/sunos/sunos_misc.c b/sys/compat/sunos/sunos_misc.c
index 144b27ae1bcb..d8e7601ca2ce 100644
--- a/sys/compat/sunos/sunos_misc.c
+++ b/sys/compat/sunos/sunos_misc.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: sunos_misc.c,v 1.136 2006/03/01 12:38:12 yamt Exp $	*/
+/*	$NetBSD: sunos_misc.c,v 1.137 2006/05/14 21:25:21 elad Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -50,7 +50,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sunos_misc.c,v 1.136 2006/03/01 12:38:12 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sunos_misc.c,v 1.137 2006/05/14 21:25:21 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_nfsserver.h"
@@ -1259,7 +1259,7 @@ sunos_sys_reboot(l, v, retval)
 	int error, bsd_howto, sun_howto;
 	char *bootstr;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	/*
diff --git a/sys/compat/sunos32/sunos32_misc.c b/sys/compat/sunos32/sunos32_misc.c
index 2509f18ff277..8b876c0277f3 100644
--- a/sys/compat/sunos32/sunos32_misc.c
+++ b/sys/compat/sunos32/sunos32_misc.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: sunos32_misc.c,v 1.36 2006/03/01 12:38:12 yamt Exp $	*/
+/*	$NetBSD: sunos32_misc.c,v 1.37 2006/05/14 21:25:21 elad Exp $	*/
 /* from :NetBSD: sunos_misc.c,v 1.107 2000/12/01 19:25:10 jdolecek Exp	*/
 
 /*
@@ -79,7 +79,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sunos32_misc.c,v 1.36 2006/03/01 12:38:12 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sunos32_misc.c,v 1.37 2006/05/14 21:25:21 elad Exp $");
 
 #define COMPAT_SUNOS 1
 
@@ -123,6 +123,7 @@ __KERNEL_RCSID(0, "$NetBSD: sunos32_misc.c,v 1.36 2006/03/01 12:38:12 yamt Exp $
 #include <sys/socketvar.h>
 #include <sys/exec.h>
 #include <sys/swap.h>
+#include <sys/kauth.h>
 
 #include <compat/netbsd32/netbsd32.h>
 #include <compat/netbsd32/netbsd32_syscallargs.h>
@@ -1562,7 +1563,7 @@ sunos32_sys_reboot(l, v, retval)
 	int error, bsd_howto, sun_howto;
 	char *bootstr;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	/*
diff --git a/sys/compat/svr4/svr4_fcntl.c b/sys/compat/svr4/svr4_fcntl.c
index a3259358c549..86731a4dca7a 100644
--- a/sys/compat/svr4/svr4_fcntl.c
+++ b/sys/compat/svr4/svr4_fcntl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_fcntl.c,v 1.48 2005/12/11 12:20:26 christos Exp $	 */
+/*	$NetBSD: svr4_fcntl.c,v 1.49 2006/05/14 21:25:21 elad Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1997 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_fcntl.c,v 1.48 2005/12/11 12:20:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_fcntl.c,v 1.49 2006/05/14 21:25:21 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -51,6 +51,7 @@ __KERNEL_RCSID(0, "$NetBSD: svr4_fcntl.c,v 1.48 2005/12/11 12:20:26 christos Exp
 #include <sys/mount.h>
 #include <sys/malloc.h>
 #include <sys/vnode.h>
+#include <sys/kauth.h>
 
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
@@ -285,11 +286,11 @@ fd_revoke(l, fd, retval)
 		goto out;
 	}
 
-	if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, l)) != 0)
+	if ((error = VOP_GETATTR(vp, &vattr, p->p_cred, l)) != 0)
 		goto out;
 
-	if (p->p_ucred->cr_uid != vattr.va_uid &&
-	    (error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if (kauth_cred_geteuid(p->p_cred) != vattr.va_uid &&
+	    (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		goto out;
 
 	if ((error = vn_start_write(vp, &mp, V_WAIT | V_PCATCH)) != 0)
@@ -330,7 +331,7 @@ fd_truncate(l, fd, flp, retval)
 	if (fp->f_type != DTYPE_VNODE || vp->v_type == VFIFO)
 		return ESPIPE;
 
-	if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, l)) != 0)
+	if ((error = VOP_GETATTR(vp, &vattr, p->p_cred, l)) != 0)
 		return error;
 
 	length = vattr.va_size;
diff --git a/sys/compat/svr4/svr4_sysent.c b/sys/compat/svr4/svr4_sysent.c
index b37a1ff86976..8e272772ce8c 100644
--- a/sys/compat/svr4/svr4_sysent.c
+++ b/sys/compat/svr4/svr4_sysent.c
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_sysent.c,v 1.76 2006/04/02 06:34:18 macallan Exp $ */
+/* $NetBSD: svr4_sysent.c,v 1.77 2006/05/14 21:25:21 elad Exp $ */
 
 /*
  * System call switch table.
@@ -8,7 +8,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_sysent.c,v 1.76 2006/04/02 06:34:18 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_sysent.c,v 1.77 2006/05/14 21:25:21 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_ntp.h"
diff --git a/sys/compat/svr4_32/svr4_32_exec_elf32.c b/sys/compat/svr4_32/svr4_32_exec_elf32.c
index 7833dbb950ef..be127c1ac375 100644
--- a/sys/compat/svr4_32/svr4_32_exec_elf32.c
+++ b/sys/compat/svr4_32/svr4_32_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_32_exec_elf32.c,v 1.14 2005/12/11 12:20:26 christos Exp $	 */
+/*	$NetBSD: svr4_32_exec_elf32.c,v 1.15 2006/05/14 21:25:21 elad Exp $	 */
 
 /*-
  * Copyright (c) 1994 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_32_exec_elf32.c,v 1.14 2005/12/11 12:20:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_32_exec_elf32.c,v 1.15 2006/05/14 21:25:21 elad Exp $");
 
 #define	ELFSIZE		32				/* XXX should die */
 
@@ -142,19 +142,19 @@ svr4_32_copyargs(l, pack, arginfo, stackp, argp)
 		a++;
 
 		a->a_type = AT_EUID;
-		a->a_v = p->p_ucred->cr_uid;
+		a->a_v = kauth_cred_geteuid(p->p_cred);
 		a++;
 
 		a->a_type = AT_RUID;
-		a->a_v = p->p_cred->p_ruid;
+		a->a_v = kauth_cred_getuid(p->p_cred);
 		a++;
 
 		a->a_type = AT_EGID;
-		a->a_v = p->p_ucred->cr_gid;
+		a->a_v = kauth_cred_getegid(p->p_cred);
 		a++;
 
 		a->a_type = AT_RGID;
-		a->a_v = p->p_cred->p_rgid;
+		a->a_v = kauth_cred_getgid(p->p_cred);
 		a++;
 
 		if (sun_hwcap) {
diff --git a/sys/compat/svr4_32/svr4_32_fcntl.c b/sys/compat/svr4_32/svr4_32_fcntl.c
index 0ae8298f1c01..d728dd10b1c7 100644
--- a/sys/compat/svr4_32/svr4_32_fcntl.c
+++ b/sys/compat/svr4_32/svr4_32_fcntl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_32_fcntl.c,v 1.12 2005/12/11 12:20:26 christos Exp $	 */
+/*	$NetBSD: svr4_32_fcntl.c,v 1.13 2006/05/14 21:25:21 elad Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1997 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_32_fcntl.c,v 1.12 2005/12/11 12:20:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_32_fcntl.c,v 1.13 2006/05/14 21:25:21 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -51,6 +51,7 @@ __KERNEL_RCSID(0, "$NetBSD: svr4_32_fcntl.c,v 1.12 2005/12/11 12:20:26 christos
 #include <sys/mount.h>
 #include <sys/malloc.h>
 #include <sys/vnode.h>
+#include <sys/kauth.h>
 
 #include <sys/sa.h>
 #include <sys/syscallargs.h>
@@ -284,11 +285,11 @@ fd_revoke(l, fd, retval)
 		goto out;
 	}
 
-	if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, l)) != 0)
+	if ((error = VOP_GETATTR(vp, &vattr, p->p_cred, l)) != 0)
 		goto out;
 
-	if (p->p_ucred->cr_uid != vattr.va_uid &&
-	    (error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if (kauth_cred_geteuid(p->p_cred) != vattr.va_uid &&
+	    (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		goto out;
 
 	if ((error = vn_start_write(vp, &mp, V_WAIT | V_PCATCH)) != 0)
@@ -328,7 +329,7 @@ fd_truncate(l, fd, flp, retval)
 	if (fp->f_type != DTYPE_VNODE || vp->v_type == VFIFO)
 		return ESPIPE;
 
-	if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, l)) != 0)
+	if ((error = VOP_GETATTR(vp, &vattr, p->p_cred, l)) != 0)
 		return error;
 
 	length = vattr.va_size;
diff --git a/sys/compat/svr4_32/svr4_32_stat.c b/sys/compat/svr4_32/svr4_32_stat.c
index c474b2f2fec0..f9d6de9e02d3 100644
--- a/sys/compat/svr4_32/svr4_32_stat.c
+++ b/sys/compat/svr4_32/svr4_32_stat.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_32_stat.c,v 1.18 2005/12/11 12:20:26 christos Exp $	 */
+/*	$NetBSD: svr4_32_stat.c,v 1.19 2006/05/14 21:25:21 elad Exp $	 */
 
 /*-
  * Copyright (c) 1994 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_32_stat.c,v 1.18 2005/12/11 12:20:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_32_stat.c,v 1.19 2006/05/14 21:25:21 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -51,6 +51,7 @@ __KERNEL_RCSID(0, "$NetBSD: svr4_32_stat.c,v 1.18 2005/12/11 12:20:26 christos E
 #include <sys/mount.h>
 #include <sys/malloc.h>
 #include <sys/unistd.h>
+#include <sys/kauth.h>
 
 #include <sys/time.h>
 #include <sys/ucred.h>
@@ -686,13 +687,13 @@ svr4_32_sys_systeminfo(l, v, retval)
 		break;
 
 	case SVR4_SI_SET_HOSTNAME:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			return error;
 		name[1] = KERN_HOSTNAME;
 		break;
 
 	case SVR4_SI_SET_SRPC_DOMAIN:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			return error;
 		name[1] = KERN_DOMAINNAME;
 		break;
diff --git a/sys/conf/files b/sys/conf/files
index 698fb37d7b93..dc8bf4225cec 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1,4 +1,4 @@
-#	$NetBSD: files,v 1.772 2006/05/05 18:26:19 thorpej Exp $
+#	$NetBSD: files,v 1.773 2006/05/14 21:25:21 elad Exp $
 
 #	@(#)files.newconf	7.5 (Berkeley) 5/10/93
 
@@ -1213,6 +1213,7 @@ file	kern/init_main.c
 file	kern/init_sysctl.c
 file	kern/init_sysent.c
 file	kern/kern_acct.c
+file	kern/kern_auth.c
 file	kern/kern_clock.c
 file	kern/kern_descrip.c
 file	kern/kern_event.c
diff --git a/sys/conf/majors b/sys/conf/majors
index 01a77463500a..2519284d63cc 100644
--- a/sys/conf/majors
+++ b/sys/conf/majors
@@ -1,4 +1,4 @@
-# $NetBSD: majors,v 1.21 2006/04/03 08:15:48 scw Exp $
+# $NetBSD: majors,v 1.22 2006/05/14 21:25:21 elad Exp $
 #
 # Device majors for Machine-Independent drivers.
 #
diff --git a/sys/contrib/dev/ath/netbsd/ah_osdep.c b/sys/contrib/dev/ath/netbsd/ah_osdep.c
index 88bd07b79dc8..04fe12516580 100644
--- a/sys/contrib/dev/ath/netbsd/ah_osdep.c
+++ b/sys/contrib/dev/ath/netbsd/ah_osdep.c
@@ -33,7 +33,7 @@
  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGES.
  *
- * $Id: ah_osdep.c,v 1.2 2006/04/05 06:54:26 gdamore Exp $
+ * $Id: ah_osdep.c,v 1.3 2006/05/14 21:25:21 elad Exp $
  */
 #include "opt_athhal.h"
 #include "athhal_options.h"
@@ -44,6 +44,7 @@
 #include <sys/sysctl.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <machine/stdarg.h>
 
@@ -225,7 +226,8 @@ ath_hal_setlogging(int enable)
 	int error;
 
 	if (enable) {
-		error = suser(curproc->p_ucred, &curproc->p_acflag);
+		error = kauth_authorize_generic(curproc->p_cred,
+		    KAUTH_GENERIC_ISSUSER, &curproc->p_acflag);
 		if (error == 0) {
 			error = alq_open(&ath_hal_alq, ath_hal_logfile,
 				curproc->p_ucred,
diff --git a/sys/contrib/dev/ath/public/alpha-elf.hal.o.uu b/sys/contrib/dev/ath/public/alpha-elf.hal.o.uu
index 27477bd5d3fd..360298ede020 100644
--- a/sys/contrib/dev/ath/public/alpha-elf.hal.o.uu
+++ b/sys/contrib/dev/ath/public/alpha-elf.hal.o.uu
@@ -33,7 +33,7 @@
  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGES.
  *
- * $Id: alpha-elf.hal.o.uu,v 1.1 2006/04/02 05:52:17 gdamore Exp $
+ * $Id: alpha-elf.hal.o.uu,v 1.2 2006/05/14 21:25:21 elad Exp $
  */
 #define	ATH_HAL_VERSION	"0.9.16.16"
 begin 644 hal.o
diff --git a/sys/contrib/dev/ath/public/powerpc-le-eabi.hal.o.uu b/sys/contrib/dev/ath/public/powerpc-le-eabi.hal.o.uu
index 2b3fe500c177..4fb60760ab36 100644
--- a/sys/contrib/dev/ath/public/powerpc-le-eabi.hal.o.uu
+++ b/sys/contrib/dev/ath/public/powerpc-le-eabi.hal.o.uu
@@ -33,7 +33,7 @@
  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGES.
  *
- * $Id: powerpc-le-eabi.hal.o.uu,v 1.1 2006/04/02 05:52:17 gdamore Exp $
+ * $Id: powerpc-le-eabi.hal.o.uu,v 1.2 2006/05/14 21:25:21 elad Exp $
  */
 #define	ATH_HAL_VERSION	"0.9.16.16"
 begin 644 hal.o
diff --git a/sys/ddb/db_command.c b/sys/ddb/db_command.c
index c8726c7713c8..febecaa5e2cd 100644
--- a/sys/ddb/db_command.c
+++ b/sys/ddb/db_command.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: db_command.c,v 1.87 2006/05/14 14:00:17 he Exp $	*/
+/*	$NetBSD: db_command.c,v 1.88 2006/05/14 21:25:49 elad Exp $	*/
 
 /*
  * Mach Operating System
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: db_command.c,v 1.87 2006/05/14 14:00:17 he Exp $");
+__KERNEL_RCSID(0, "$NetBSD: db_command.c,v 1.88 2006/05/14 21:25:49 elad Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
diff --git a/sys/ddb/db_xxx.c b/sys/ddb/db_xxx.c
index 85e59484ecd5..48951237f284 100644
--- a/sys/ddb/db_xxx.c
+++ b/sys/ddb/db_xxx.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: db_xxx.c,v 1.37 2006/01/22 01:08:50 uwe Exp $	*/
+/*	$NetBSD: db_xxx.c,v 1.38 2006/05/14 21:25:49 elad Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1991, 1993
@@ -39,7 +39,7 @@
 #include "opt_kgdb.h"
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: db_xxx.c,v 1.37 2006/01/22 01:08:50 uwe Exp $");
+__KERNEL_RCSID(0, "$NetBSD: db_xxx.c,v 1.38 2006/05/14 21:25:49 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -51,6 +51,7 @@ __KERNEL_RCSID(0, "$NetBSD: db_xxx.c,v 1.37 2006/01/22 01:08:50 uwe Exp $");
 #include <sys/signalvar.h>
 #include <sys/resourcevar.h>
 #include <sys/pool.h>
+#include <sys/kauth.h>
 
 #include <machine/db_machdep.h>
 
@@ -194,7 +195,7 @@ db_show_all_procs(db_expr_t addr, int haddr, db_expr_t count, const char *modif)
 			case 'n':
 				db_printf("%8d %8d %10d %d %#7x %4d %16s %7.7s\n",
 				    pp ? pp->p_pid : -1, p->p_pgrp->pg_id,
-				    p->p_cred->p_ruid, p->p_stat, p->p_flag,
+				    kauth_cred_getuid(p->p_cred), p->p_stat, p->p_flag,
 				    p->p_nlwps, p->p_comm,
 				    (p->p_nlwps != 1) ? "*" : (
 				    (l->l_wchan && l->l_wmesg) ?
diff --git a/sys/net/agr/if_agr.c b/sys/net/agr/if_agr.c
index 6f9e466178d5..bdd65a113b25 100644
--- a/sys/net/agr/if_agr.c
+++ b/sys/net/agr/if_agr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_agr.c,v 1.3 2005/12/11 12:24:54 christos Exp $	*/
+/*	$NetBSD: if_agr.c,v 1.4 2006/05/14 21:19:33 elad Exp $	*/
 
 /*-
  * Copyright (c)2005 YAMAMOTO Takashi,
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_agr.c,v 1.3 2005/12/11 12:24:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_agr.c,v 1.4 2006/05/14 21:19:33 elad Exp $");
 
 #include "bpfilter.h"
 #include "opt_inet.h"
@@ -858,7 +858,8 @@ agr_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 	case SIOCSETAGR:
 		splx(s);
 		p = curproc; /* XXX */
-		error = suser(p->p_ucred, &p->p_acflag);
+		error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+					  &p->p_acflag);
 		if (!error) {
 			error = agrreq_copyin(ifr->ifr_data, &ar);
 		}
diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index 320ecc780aee..407cc3c67c5f 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: bpf.c,v 1.116 2006/05/10 21:53:18 mrg Exp $	*/
+/*	$NetBSD: bpf.c,v 1.117 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  * Copyright (c) 1990, 1991, 1993
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.116 2006/05/10 21:53:18 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.117 2006/05/14 21:19:33 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -64,6 +64,7 @@ __KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.116 2006/05/10 21:53:18 mrg Exp $");
 #include <sys/kernel.h>
 #include <sys/poll.h>
 #include <sys/sysctl.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/slip.h>
@@ -141,9 +142,9 @@ static void	reset_d(struct bpf_d *);
 static int	bpf_getdltlist(struct bpf_d *, struct bpf_dltlist *);
 static int	bpf_setdlt(struct bpf_d *, u_int);
 
-static int	bpf_read(struct file *, off_t *, struct uio *, struct ucred *,
+static int	bpf_read(struct file *, off_t *, struct uio *, kauth_cred_t,
     int);
-static int	bpf_write(struct file *, off_t *, struct uio *, struct ucred *,
+static int	bpf_write(struct file *, off_t *, struct uio *, kauth_cred_t,
     int);
 static int	bpf_ioctl(struct file *, u_long, void *, struct lwp *);
 static int	bpf_poll(struct file *, int, struct lwp *);
@@ -455,7 +456,7 @@ bpf_close(struct file *fp, struct lwp *l)
  */
 static int
 bpf_read(struct file *fp, off_t *offp, struct uio *uio,
-	 struct ucred *cred, int flags)
+	 kauth_cred_t cred, int flags)
 {
 	struct bpf_d *d = fp->f_data;
 	int timed_out;
@@ -584,7 +585,7 @@ bpf_timed_out(void *arg)
 
 static int
 bpf_write(struct file *fp, off_t *offp, struct uio *uio,
-	  struct ucred *cred, int flags)
+	  kauth_cred_t cred, int flags)
 {
 	struct bpf_d *d = fp->f_data;
 	struct ifnet *ifp;
@@ -1702,7 +1703,9 @@ sysctl_net_bpf_peers(SYSCTLFN_ARGS)
 	if (namelen != 2)
 		return (EINVAL);
 
-	if ((error = suser(l->l_proc->p_ucred, &l->l_proc->p_acflag)))
+	if ((error = kauth_authorize_generic(l->l_proc->p_cred,
+				       KAUTH_GENERIC_ISSUSER,
+				       &l->l_proc->p_acflag)))
 		return (error);
 
 	len = (oldp != NULL) ? *oldlenp : 0;
diff --git a/sys/net/if.c b/sys/net/if.c
index 2a6b019bd68e..561000222c18 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if.c,v 1.164 2006/05/01 18:17:42 dyoung Exp $	*/
+/*	$NetBSD: if.c,v 1.165 2006/05/14 21:19:33 elad Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2000, 2001 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.164 2006/05/01 18:17:42 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.165 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 
@@ -123,6 +123,7 @@ __KERNEL_RCSID(0, "$NetBSD: if.c,v 1.164 2006/05/01 18:17:42 dyoung Exp $");
 #include <sys/ioctl.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_dl.h>
@@ -1361,7 +1362,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct lwp *l)
 	case SIOCIFCREATE:
 	case SIOCIFDESTROY:
 		if (l) {
-			error = suser(l->l_proc->p_ucred, &l->l_proc->p_acflag);
+			error = kauth_authorize_generic(l->l_proc->p_cred,
+						  KAUTH_GENERIC_ISSUSER,
+						  &l->l_proc->p_acflag);
 			if (error)
 				return error;
 		}
@@ -1399,7 +1402,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct lwp *l)
 	case SIOCS80211BSSID:
 	case SIOCS80211CHANNEL:
 		if (l) {
-			error = suser(l->l_proc->p_ucred, &l->l_proc->p_acflag);
+			error = kauth_authorize_generic(l->l_proc->p_cred,
+						  KAUTH_GENERIC_ISSUSER,
+						  &l->l_proc->p_acflag);
 			if (error)
 				return error;
 		}
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index b2825f3f63d8..8add19ad271d 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_bridge.c,v 1.36 2006/01/17 13:23:02 christos Exp $	*/
+/*	$NetBSD: if_bridge.c,v 1.37 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  * Copyright 2001 Wasabi Systems, Inc.
@@ -80,7 +80,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_bridge.c,v 1.36 2006/01/17 13:23:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_bridge.c,v 1.37 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_bridge_ipf.h"
 #include "opt_inet.h"
@@ -97,6 +97,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_bridge.c,v 1.36 2006/01/17 13:23:02 christos Exp
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/pool.h>
+#include <sys/kauth.h>
 
 #if NBPFILTER > 0
 #include <net/bpf.h>
@@ -478,7 +479,9 @@ bridge_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		}
 
 		if (bc->bc_flags & BC_F_SUSER) {
-			error = suser(p->p_ucred, &p->p_acflag);
+			error = kauth_authorize_generic(p->p_cred,
+						  KAUTH_GENERIC_ISSUSER,
+						  &p->p_acflag);
 			if (error)
 				break;
 		}
diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index 208e48cc9866..2909af0adc26 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ethersubr.c,v 1.131 2006/05/12 01:20:33 mrg Exp $	*/
+/*	$NetBSD: if_ethersubr.c,v 1.132 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.131 2006/05/12 01:20:33 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.132 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_atalk.h"
@@ -91,6 +91,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.131 2006/05/12 01:20:33 mrg Exp $
 #include <sys/ioctl.h>
 #include <sys/errno.h>
 #include <sys/syslog.h>
+#include <sys/kauth.h>
 
 #include <machine/cpu.h>
 
diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c
index 2f39df2d5d7e..007e6536cfd8 100644
--- a/sys/net/if_gif.c
+++ b/sys/net/if_gif.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_gif.c,v 1.58 2006/03/08 03:09:33 msaitoh Exp $	*/
+/*	$NetBSD: if_gif.c,v 1.59 2006/05/14 21:19:33 elad Exp $	*/
 /*	$KAME: if_gif.c,v 1.76 2001/08/20 02:01:02 kjc Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.58 2006/03/08 03:09:33 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.59 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_iso.h"
@@ -48,6 +48,8 @@ __KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.58 2006/03/08 03:09:33 msaitoh Exp $");
 #include <sys/syslog.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
+#include <sys/kauth.h>
+
 #include <machine/cpu.h>
 #include <machine/intr.h>
 
@@ -601,7 +603,9 @@ gif_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		break;
 
 	case SIOCSIFMTU:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					        &p->p_acflag)) != 0)
 			break;
 		mtu = ifr->ifr_mtu;
 		if (mtu < GIF_MTU_MIN || mtu > GIF_MTU_MAX)
@@ -617,7 +621,7 @@ gif_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 	case SIOCSIFPHYADDR_IN6:
 #endif /* INET6 */
 	case SIOCSLIFPHYADDR:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		switch (cmd) {
 #ifdef INET
@@ -706,7 +710,7 @@ gif_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 
 #ifdef SIOCDIFPHYADDR
 	case SIOCDIFPHYADDR:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		gif_delete_tunnel(&sc->gif_if);
 		break;
diff --git a/sys/net/if_gre.c b/sys/net/if_gre.c
index 0f539031dfb1..41f884817b8b 100644
--- a/sys/net/if_gre.c
+++ b/sys/net/if_gre.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_gre.c,v 1.59 2005/12/11 23:05:25 thorpej Exp $ */
+/*	$NetBSD: if_gre.c,v 1.60 2006/05/14 21:19:33 elad Exp $ */
 
 /*
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_gre.c,v 1.59 2005/12/11 23:05:25 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_gre.c,v 1.60 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ns.h"
@@ -65,6 +65,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_gre.c,v 1.59 2005/12/11 23:05:25 thorpej Exp $");
 #include <sys/queue.h>
 #if __NetBSD__
 #include <sys/systm.h>
+#include <sys/kauth.h>
 #endif
 
 #include <machine/cpu.h>
@@ -363,7 +364,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 	case SIOCSIFDSTADDR:
 		break;
 	case SIOCSIFFLAGS:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		if ((ifr->ifr_flags & IFF_LINK0) != 0)
 			sc->g_proto = IPPROTO_GRE;
@@ -371,7 +372,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 			sc->g_proto = IPPROTO_MOBILE;
 		break;
 	case SIOCSIFMTU:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		if (ifr->ifr_mtu < 576) {
 			error = EINVAL;
@@ -403,7 +404,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		}
 		break;
 	case GRESPROTO:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		sc->g_proto = ifr->ifr_flags;
 		switch (sc->g_proto) {
@@ -423,7 +424,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		break;
 	case GRESADDRS:
 	case GRESADDRD:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		/*
 		 * set tunnel endpoints, compute a less specific route
@@ -462,7 +463,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		ifr->ifr_addr = *sa;
 		break;
 	case SIOCSLIFPHYADDR:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		if (lifr->addr.ss_family != AF_INET ||
 		    lifr->dstaddr.ss_family != AF_INET) {
@@ -479,7 +480,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		    (satosin((struct sockadrr *)&lifr->dstaddr))->sin_addr;
 		goto recompute;
 	case SIOCDIFPHYADDR:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		sc->g_src.s_addr = INADDR_ANY;
 		sc->g_dst.s_addr = INADDR_ANY;
diff --git a/sys/net/if_ppp.c b/sys/net/if_ppp.c
index 2eede1c7d418..c3c70d3ac9ab 100644
--- a/sys/net/if_ppp.c
+++ b/sys/net/if_ppp.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ppp.c,v 1.105 2006/01/02 01:42:36 yamt Exp $	*/
+/*	$NetBSD: if_ppp.c,v 1.106 2006/05/14 21:19:33 elad Exp $	*/
 /*	Id: if_ppp.c,v 1.6 1997/03/04 03:33:00 paulus Exp 	*/
 
 /*
@@ -102,7 +102,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ppp.c,v 1.105 2006/01/02 01:42:36 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ppp.c,v 1.106 2006/05/14 21:19:33 elad Exp $");
 
 #include "ppp.h"
 
@@ -125,6 +125,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_ppp.c,v 1.105 2006/01/02 01:42:36 yamt Exp $");
 #include <sys/time.h>
 #include <sys/malloc.h>
 #include <sys/conf.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -535,7 +536,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data, int flag,
 	break;
 
     case PPPIOCSFLAGS:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    return (error);
 	flags = *(int *)data & SC_MASK;
 	s = splsoftnet();
@@ -549,7 +550,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data, int flag,
 	break;
 
     case PPPIOCSMRU:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    return (error);
 	mru = *(int *)data;
 	if (mru >= PPP_MINMRU && mru <= PPP_MAXMRU)
@@ -562,7 +563,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data, int flag,
 
 #ifdef VJC
     case PPPIOCSMAXCID:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    return (error);
 	if (sc->sc_comp) {
 	    s = splsoftnet();
@@ -573,14 +574,14 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data, int flag,
 #endif
 
     case PPPIOCXFERUNIT:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    return (error);
 	sc->sc_xfer = p->p_pid;
 	break;
 
 #ifdef PPP_COMPRESS
     case PPPIOCSCOMPRESS:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    return (error);
 	odp = (struct ppp_option_data *) data;
 	nb = odp->length;
@@ -653,7 +654,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data, int flag,
 	if (cmd == PPPIOCGNPMODE) {
 	    npi->mode = sc->sc_npmode[npx];
 	} else {
-	    if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	    if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 	    if (npi->mode != sc->sc_npmode[npx]) {
 		s = splnet();
@@ -794,7 +795,7 @@ pppsioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 	break;
 
     case SIOCSIFMTU:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    break;
 	sc->sc_if.if_mtu = ifr->ifr_mtu;
 	break;
diff --git a/sys/net/if_pppoe.c b/sys/net/if_pppoe.c
index 987a83a4690c..16515a13b05f 100644
--- a/sys/net/if_pppoe.c
+++ b/sys/net/if_pppoe.c
@@ -1,4 +1,4 @@
-/* $NetBSD: if_pppoe.c,v 1.67 2006/04/27 20:04:26 tron Exp $ */
+/* $NetBSD: if_pppoe.c,v 1.68 2006/05/14 21:19:33 elad Exp $ */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.67 2006/04/27 20:04:26 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.68 2006/05/14 21:19:33 elad Exp $");
 
 #include "pppoe.h"
 #include "bpfilter.h"
@@ -52,6 +52,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.67 2006/04/27 20:04:26 tron Exp $");
 #include <sys/socket.h>
 #include <sys/proc.h>
 #include <sys/ioctl.h>
+#include <sys/kauth.h>
 #include <net/if.h>
 #include <net/if_types.h>
 #include <net/if_ether.h>
@@ -858,7 +859,7 @@ pppoe_ioctl(struct ifnet *ifp, unsigned long cmd, caddr_t data)
 	case PPPOESETPARMS:
 	{
 		struct pppoediscparms *parms = (struct pppoediscparms*)data;
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			return error;
 		if (parms->eth_ifname[0] != 0) {
 			struct ifnet	*eth_if;
diff --git a/sys/net/if_sl.c b/sys/net/if_sl.c
index 64188dbf2cb1..579cb7d5d205 100644
--- a/sys/net/if_sl.c
+++ b/sys/net/if_sl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_sl.c,v 1.96 2006/03/02 17:20:07 christos Exp $	*/
+/*	$NetBSD: if_sl.c,v 1.97 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  * Copyright (c) 1987, 1989, 1992, 1993
@@ -60,7 +60,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_sl.c,v 1.96 2006/03/02 17:20:07 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_sl.c,v 1.97 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "bpfilter.h"
@@ -79,6 +79,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_sl.c,v 1.96 2006/03/02 17:20:07 christos Exp $");
 #include <sys/kernel.h>
 #if __NetBSD__
 #include <sys/systm.h>
+#include <sys/kauth.h>
 #endif
 
 #include <machine/cpu.h>
@@ -306,7 +307,7 @@ slopen(dev_t dev, struct tty *tp)
 	int error;
 	int s;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	if (tp->t_linesw == &slip_disc)
diff --git a/sys/net/if_spppsubr.c b/sys/net/if_spppsubr.c
index aadce8dc06f1..529fdc60515b 100644
--- a/sys/net/if_spppsubr.c
+++ b/sys/net/if_spppsubr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_spppsubr.c,v 1.89 2006/05/14 05:30:31 christos Exp $	 */
+/*	$NetBSD: if_spppsubr.c,v 1.90 2006/05/14 21:19:33 elad Exp $	 */
 
 /*
  * Synchronous PPP/Cisco link level subroutines.
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.89 2006/05/14 05:30:31 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.90 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipx.h"
@@ -61,6 +61,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.89 2006/05/14 05:30:31 christos Ex
 #include <sys/callout.h>
 #include <sys/md5.h>
 #include <sys/inttypes.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/netisr.h>
@@ -1147,7 +1148,7 @@ sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data)
 	{
 		struct proc *p = curproc;		/* XXX */
 
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 	}
 	/* FALLTHROUGH */
diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c
index 1114d19990ae..717e286fe379 100644
--- a/sys/net/if_stf.c
+++ b/sys/net/if_stf.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_stf.c,v 1.50 2005/12/11 23:05:25 thorpej Exp $	*/
+/*	$NetBSD: if_stf.c,v 1.51 2006/05/14 21:19:33 elad Exp $	*/
 /*	$KAME: if_stf.c,v 1.62 2001/06/07 22:32:16 itojun Exp $	*/
 
 /*
@@ -75,7 +75,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_stf.c,v 1.50 2005/12/11 23:05:25 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_stf.c,v 1.51 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 
@@ -90,6 +90,8 @@ __KERNEL_RCSID(0, "$NetBSD: if_stf.c,v 1.50 2005/12/11 23:05:25 thorpej Exp $");
 #include <sys/protosw.h>
 #include <sys/queue.h>
 #include <sys/syslog.h>
+#include <sys/kauth.h>
+
 #include <machine/cpu.h>
 
 #include <net/if.h>
@@ -715,7 +717,7 @@ stf_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		break;
 
 	case SIOCSIFMTU:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		ifr = (struct ifreq *)data;
 		mtu = ifr->ifr_mtu;
diff --git a/sys/net/if_strip.c b/sys/net/if_strip.c
index ff12122a1ea7..6085678b6f00 100644
--- a/sys/net/if_strip.c
+++ b/sys/net/if_strip.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_strip.c,v 1.64 2005/12/11 23:05:25 thorpej Exp $	*/
+/*	$NetBSD: if_strip.c,v 1.65 2006/05/14 21:19:33 elad Exp $	*/
 /*	from: NetBSD: if_sl.c,v 1.38 1996/02/13 22:00:23 christos Exp $	*/
 
 /*
@@ -87,7 +87,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_strip.c,v 1.64 2005/12/11 23:05:25 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_strip.c,v 1.65 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "bpfilter.h"
@@ -106,6 +106,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_strip.c,v 1.64 2005/12/11 23:05:25 thorpej Exp $"
 #if __NetBSD__
 #include <sys/systm.h>
 #include <sys/callout.h>
+#include <sys/kauth.h>
 #endif
 #include <sys/syslog.h>
 
@@ -481,7 +482,7 @@ stripopen(dev_t dev, struct tty *tp)
 	int s;
 #endif
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	if (tp->t_linesw == &strip_disc)
diff --git a/sys/net/if_tap.c b/sys/net/if_tap.c
index 7fbc87abeddd..aa53cc4064fa 100644
--- a/sys/net/if_tap.c
+++ b/sys/net/if_tap.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_tap.c,v 1.16 2006/03/29 04:16:51 thorpej Exp $	*/
+/*	$NetBSD: if_tap.c,v 1.17 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  *  Copyright (c) 2003, 2004 The NetBSD Foundation.
@@ -43,7 +43,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_tap.c,v 1.16 2006/03/29 04:16:51 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_tap.c,v 1.17 2006/05/14 21:19:33 elad Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "bpfilter.h"
@@ -62,6 +62,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_tap.c,v 1.16 2006/03/29 04:16:51 thorpej Exp $");
 #include <sys/select.h>
 #include <sys/sockio.h>
 #include <sys/sysctl.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_dl.h>
@@ -140,9 +141,9 @@ static int	tap_dev_kqfilter(int, struct knote *);
 /* Fileops access routines */
 static int	tap_fops_close(struct file *, struct lwp *);
 static int	tap_fops_read(struct file *, off_t *, struct uio *,
-    struct ucred *, int);
+    kauth_cred_t, int);
 static int	tap_fops_write(struct file *, off_t *, struct uio *,
-    struct ucred *, int);
+    kauth_cred_t, int);
 static int	tap_fops_ioctl(struct file *, u_long, void *,
     struct lwp *);
 static int	tap_fops_poll(struct file *, int, struct lwp *);
@@ -807,7 +808,7 @@ tap_cdev_read(dev_t dev, struct uio *uio, int flags)
 
 static int
 tap_fops_read(struct file *fp, off_t *offp, struct uio *uio,
-    struct ucred *cred, int flags)
+    kauth_cred_t cred, int flags)
 {
 	return tap_dev_read((intptr_t)fp->f_data, uio, flags);
 }
@@ -906,7 +907,7 @@ tap_cdev_write(dev_t dev, struct uio *uio, int flags)
 
 static int
 tap_fops_write(struct file *fp, off_t *offp, struct uio *uio,
-    struct ucred *cred, int flags)
+    kauth_cred_t cred, int flags)
 {
 	return tap_dev_write((intptr_t)fp->f_data, uio, flags);
 }
diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c
index 28df900640ed..91a94fc08ed2 100644
--- a/sys/net/if_tun.c
+++ b/sys/net/if_tun.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_tun.c,v 1.88 2006/04/18 19:30:49 rpaulo Exp $	*/
+/*	$NetBSD: if_tun.c,v 1.89 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  * Copyright (c) 1988, Julian Onions <jpo@cs.nott.ac.uk>
@@ -15,7 +15,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.88 2006/04/18 19:30:49 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.89 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ns.h"
@@ -35,6 +35,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.88 2006/04/18 19:30:49 rpaulo Exp $");
 #include <sys/file.h>
 #include <sys/signalvar.h>
 #include <sys/conf.h>
+#include <sys/kauth.h>
 
 #include <machine/cpu.h>
 
@@ -279,7 +280,7 @@ tunopen(dev_t dev, int flag, int mode, struct lwp *l)
 	struct tun_softc *tp;
 	int	s, error;
 
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 		return (error);
 
 	s = splnet();
diff --git a/sys/net/if_vlan.c b/sys/net/if_vlan.c
index 9aae7ec3cc90..dd305fcc70bf 100644
--- a/sys/net/if_vlan.c
+++ b/sys/net/if_vlan.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_vlan.c,v 1.47 2005/12/11 12:24:51 christos Exp $	*/
+/*	$NetBSD: if_vlan.c,v 1.48 2006/05/14 21:19:33 elad Exp $	*/
 
 /*-
  * Copyright (c) 2000, 2001 The NetBSD Foundation, Inc.
@@ -85,7 +85,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_vlan.c,v 1.47 2005/12/11 12:24:51 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_vlan.c,v 1.48 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 #include "bpfilter.h"
@@ -98,6 +98,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_vlan.c,v 1.47 2005/12/11 12:24:51 christos Exp $"
 #include <sys/sockio.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #if NBPFILTER > 0
 #include <net/bpf.h>
@@ -514,7 +515,7 @@ vlan_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		break;
 
 	case SIOCSETVLAN:
-		if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 			break;
 		if ((error = copyin(ifr->ifr_data, &vlr, sizeof(vlr))) != 0)
 			break;
diff --git a/sys/net/net_osdep.h b/sys/net/net_osdep.h
index 41c41ed3c8d0..c8459f9f4d92 100644
--- a/sys/net/net_osdep.h
+++ b/sys/net/net_osdep.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: net_osdep.h,v 1.12 2006/01/28 01:49:58 rpaulo Exp $	*/
+/*	$NetBSD: net_osdep.h,v 1.13 2006/05/14 21:19:33 elad Exp $	*/
 /*	$KAME: net_osdep.h,v 1.51 2001/07/06 06:21:43 itojun Exp $	*/
 
 /*
@@ -82,7 +82,7 @@
  *	NetBSD
  *		struct lwp *l;
  *		if (l->l_proc && 
- *		    !suser(l->l_proc->p_ucred, &l->l_proc->p_acflag))
+ *		    !kauth_authorize_generic(l->l_proc->p_cred, KAUTH_GENERIC_ISSUSER, &l->l_proc->p_acflag))
  *			privileged;
  *	FreeBSD 3
  *		struct proc *p;
diff --git a/sys/net/ppp_tty.c b/sys/net/ppp_tty.c
index 146ecc227d60..50e83e763359 100644
--- a/sys/net/ppp_tty.c
+++ b/sys/net/ppp_tty.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ppp_tty.c,v 1.41 2005/12/11 23:05:25 thorpej Exp $	*/
+/*	$NetBSD: ppp_tty.c,v 1.42 2006/05/14 21:19:33 elad Exp $	*/
 /*	Id: ppp_tty.c,v 1.3 1996/07/01 01:04:11 paulus Exp 	*/
 
 /*
@@ -93,7 +93,7 @@
 /* from NetBSD: if_ppp.c,v 1.15.2.2 1994/07/28 05:17:58 cgd Exp */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ppp_tty.c,v 1.41 2005/12/11 23:05:25 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ppp_tty.c,v 1.42 2006/05/14 21:19:33 elad Exp $");
 
 #include "ppp.h"
 
@@ -113,6 +113,7 @@ __KERNEL_RCSID(0, "$NetBSD: ppp_tty.c,v 1.41 2005/12/11 23:05:25 thorpej Exp $")
 #include <sys/conf.h>
 #include <sys/vnode.h>
 #include <sys/systm.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -207,7 +208,7 @@ pppopen(dev_t dev, struct tty *tp)
     struct ppp_softc *sc;
     int error, s;
 
-    if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+    if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	return (error);
 
     s = spltty();
@@ -450,7 +451,7 @@ ppptioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct lwp *l)
 	break;
 
     case PPPIOCSASYNCMAP:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    break;
 	sc->sc_asyncmap[0] = *(u_int *)data;
 	break;
@@ -460,7 +461,7 @@ ppptioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct lwp *l)
 	break;
 
     case PPPIOCSRASYNCMAP:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    break;
 	sc->sc_rasyncmap = *(u_int *)data;
 	break;
@@ -470,7 +471,7 @@ ppptioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct lwp *l)
 	break;
 
     case PPPIOCSXASYNCMAP:
-	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+	if ((error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) != 0)
 	    break;
 	s = spltty();
 	bcopy(data, sc->sc_asyncmap, sizeof(sc->sc_asyncmap));
diff --git a/sys/net/raw_usrreq.c b/sys/net/raw_usrreq.c
index af5724a92ba7..39b3e82c204c 100644
--- a/sys/net/raw_usrreq.c
+++ b/sys/net/raw_usrreq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_usrreq.c,v 1.25 2005/12/11 23:05:25 thorpej Exp $	*/
+/*	$NetBSD: raw_usrreq.c,v 1.26 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  * Copyright (c) 1980, 1986, 1993
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_usrreq.c,v 1.25 2005/12/11 23:05:25 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_usrreq.c,v 1.26 2006/05/14 21:19:33 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/mbuf.h>
@@ -43,6 +43,7 @@ __KERNEL_RCSID(0, "$NetBSD: raw_usrreq.c,v 1.25 2005/12/11 23:05:25 thorpej Exp
 #include <sys/errno.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -194,7 +195,7 @@ raw_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 	 * the appropriate raw interface routine.
 	 */
 	case PRU_ATTACH:
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag))) {
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag))) {
 			error = EACCES;
 			break;
 		}
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 190a22be3905..762db35071c8 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: rtsock.c,v 1.83 2006/04/15 02:14:44 christos Exp $	*/
+/*	$NetBSD: rtsock.c,v 1.84 2006/05/14 21:19:33 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.83 2006/04/15 02:14:44 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.84 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_inet.h"
 
@@ -74,6 +74,7 @@ __KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.83 2006/04/15 02:14:44 christos Exp $")
 #include <sys/domain.h>
 #include <sys/protosw.h>
 #include <sys/sysctl.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -260,7 +261,7 @@ route_output(struct mbuf *m, ...)
 	 * is the only operation the non-superuser is allowed.
 	 */
 	if (rtm->rtm_type != RTM_GET &&
-	    suser(curproc->p_ucred, &curproc->p_acflag) != 0)
+	    kauth_authorize_generic(curproc->p_cred, KAUTH_GENERIC_ISSUSER, &curproc->p_acflag) != 0)
 		senderr(EACCES);
 
 	switch (rtm->rtm_type) {
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index f86f5f1e4b94..0e49520e6544 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ieee80211_input.c,v 1.58 2006/03/17 23:29:09 christos Exp $	*/
+/*	$NetBSD: ieee80211_input.c,v 1.59 2006/05/14 21:19:33 elad Exp $	*/
 /*-
  * Copyright (c) 2001 Atsushi Onoe
  * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
@@ -36,7 +36,7 @@
 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $");
 #endif
 #ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.58 2006/03/17 23:29:09 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.59 2006/05/14 21:19:33 elad Exp $");
 #endif
 
 #include "opt_inet.h"
diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c
index 0482623a5376..1cbaffcfd42b 100644
--- a/sys/net80211/ieee80211_ioctl.c
+++ b/sys/net80211/ieee80211_ioctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ieee80211_ioctl.c,v 1.31 2006/03/17 23:29:09 christos Exp $	*/
+/*	$NetBSD: ieee80211_ioctl.c,v 1.32 2006/05/14 21:19:33 elad Exp $	*/
 /*-
  * Copyright (c) 2001 Atsushi Onoe
  * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
@@ -36,7 +36,7 @@
 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_ioctl.c,v 1.35 2005/08/30 14:27:47 avatar Exp $");
 #endif
 #ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: ieee80211_ioctl.c,v 1.31 2006/03/17 23:29:09 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ieee80211_ioctl.c,v 1.32 2006/05/14 21:19:33 elad Exp $");
 #endif
 
 /*
@@ -52,6 +52,7 @@ __KERNEL_RCSID(0, "$NetBSD: ieee80211_ioctl.c,v 1.31 2006/03/17 23:29:09 christo
 #include <sys/sockio.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
  
 #include <net/if.h>
 #include <net/if_arp.h>
@@ -358,7 +359,9 @@ ieee80211_cfgget(struct ieee80211com *ic, u_long cmd, caddr_t data)
 	case WI_RID_DEFLT_CRYPT_KEYS:
 		keys = (struct wi_ltv_keys *)&wreq;
 		/* do not show keys to non-root user */
-		error = suser(curproc->p_ucred, &curproc->p_acflag);
+		error = kauth_authorize_generic(curproc->p_cred,
+					  KAUTH_GENERIC_ISSUSER,
+					  &curproc->p_acflag);
 		if (error) {
 			memset(keys, 0, sizeof(*keys));
 			error = 0;
@@ -881,7 +884,8 @@ ieee80211_ioctl_getkey(struct ieee80211com *ic, struct ieee80211req *ireq)
 	ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV);
 	if (wk->wk_keyix == ic->ic_def_txkey)
 		ik.ik_flags |= IEEE80211_KEY_DEFAULT;
-	if (suser(curproc->p_ucred, &curproc->p_acflag) == 0) {
+	if (kauth_authorize_generic(curproc->p_cred, KAUTH_GENERIC_ISSUSER,
+			      &curproc->p_acflag) == 0) {
 		/* NB: only root can read key data */
 		ik.ik_keyrsc = wk->wk_keyrsc;
 		ik.ik_keytsc = wk->wk_keytsc;
@@ -1351,7 +1355,8 @@ ieee80211_ioctl_get80211(struct ieee80211com *ic, u_long cmd, struct ieee80211re
 			return EINVAL;
 		len = (u_int) ic->ic_nw_keys[kid].wk_keylen;
 		/* NB: only root can read WEP keys */
-		if (suser(curproc->p_ucred, &curproc->p_acflag) == 0) {
+		if (kauth_authorize_generic(curproc->p_cred, KAUTH_GENERIC_ISSUSER,
+				      &curproc->p_acflag) == 0) {
 			bcopy(ic->ic_nw_keys[kid].wk_key, tmpkey, len);
 		} else {
 			bzero(tmpkey, len);
@@ -2606,7 +2611,9 @@ ieee80211_ioctl(struct ieee80211com *ic, u_long cmd, caddr_t data)
 				(struct ieee80211req *) data);
 		break;
 	case SIOCS80211:
-		if ((error = suser(curproc->p_ucred, &curproc->p_acflag)) != 0)
+		if ((error = kauth_authorize_generic(curproc->p_cred,
+					       KAUTH_GENERIC_ISSUSER,
+					       &curproc->p_acflag)) != 0)
 			break;
 		error = ieee80211_ioctl_set80211(ic, cmd,
 				(struct ieee80211req *) data);
@@ -2743,8 +2750,8 @@ ieee80211_ioctl(struct ieee80211com *ic, u_long cmd, caddr_t data)
 			if (nwkey->i_key[i].i_keydat == NULL)
 				continue;
 			/* do not show any keys to non-root user */
-			if ((error = suser(curproc->p_ucred,
-			    &curproc->p_acflag)) != 0)
+			if ((error = kauth_authorize_generic(curproc->p_cred,
+			    KAUTH_GENERIC_ISSUSER, &curproc->p_acflag)) != 0)
 				break;
 			nwkey->i_key[i].i_keylen = ic->ic_nw_keys[i].wk_keylen;
 			if ((error = copyout(ic->ic_nw_keys[i].wk_key,
@@ -2852,7 +2859,9 @@ ieee80211_ioctl(struct ieee80211com *ic, u_long cmd, caddr_t data)
 		error = ieee80211_cfgget(ic, cmd, data);
 		break;
 	case SIOCSIFGENERIC:
-		error = suser(curproc->p_ucred, &curproc->p_acflag);
+		error = kauth_authorize_generic(curproc->p_cred,
+					  KAUTH_GENERIC_ISSUSER,
+					  &curproc->p_acflag);
 		if (error)
 			break;
 		error = ieee80211_cfgset(ic, cmd, data);
diff --git a/sys/netatalk/at_control.c b/sys/netatalk/at_control.c
index 9c7584436856..438fa1b09870 100644
--- a/sys/netatalk/at_control.c
+++ b/sys/netatalk/at_control.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: at_control.c,v 1.12 2006/04/09 18:33:43 christos Exp $	 */
+/*	$NetBSD: at_control.c,v 1.13 2006/05/14 21:19:33 elad Exp $	 */
 
 /*
  * Copyright (c) 1990,1994 Regents of The University of Michigan.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: at_control.c,v 1.12 2006/04/09 18:33:43 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: at_control.c,v 1.13 2006/05/14 21:19:33 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -38,6 +38,7 @@ __KERNEL_RCSID(0, "$NetBSD: at_control.c,v 1.12 2006/04/09 18:33:43 christos Exp
 #include <sys/kernel.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
+#include <sys/kauth.h>
 #include <net/if.h>
 #include <net/route.h>
 #include <net/if_ether.h>
@@ -127,7 +128,8 @@ at_control(cmd, data, ifp, p)
 		 * If we are not superuser, then we don't get to do these
 		 * ops.
 		 */
-		if (p && suser(p->p_ucred, &p->p_acflag))
+		if (p && kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+				      &p->p_acflag))
 			return (EPERM);
 
 		sat = satosat(&ifr->ifr_addr);
diff --git a/sys/netatalk/ddp_usrreq.c b/sys/netatalk/ddp_usrreq.c
index f0a72ce1c3e1..78244c128050 100644
--- a/sys/netatalk/ddp_usrreq.c
+++ b/sys/netatalk/ddp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ddp_usrreq.c,v 1.15 2006/04/12 01:12:30 christos Exp $	 */
+/*	$NetBSD: ddp_usrreq.c,v 1.16 2006/05/14 21:19:33 elad Exp $	 */
 
 /*
  * Copyright (c) 1990,1991 Regents of The University of Michigan.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ddp_usrreq.c,v 1.15 2006/04/12 01:12:30 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ddp_usrreq.c,v 1.16 2006/05/14 21:19:33 elad Exp $");
 
 #include "opt_mbuftrace.h"
 
@@ -40,6 +40,7 @@ __KERNEL_RCSID(0, "$NetBSD: ddp_usrreq.c,v 1.15 2006/04/12 01:12:30 christos Exp
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/protosw.h>
+#include <sys/kauth.h>
 #include <net/if.h>
 #include <net/route.h>
 #include <net/if_ether.h>
@@ -274,7 +275,8 @@ at_pcbsetaddr(ddp, addr, p)
 				return (EINVAL);
 
 			if (sat->sat_port < ATPORT_RESERVED && p &&
-			    suser(p->p_ucred, &p->p_acflag))
+			    kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+					      &p->p_acflag))
 				return (EACCES);
 		}
 	} else {
diff --git a/sys/netccitt/llc_subr.c b/sys/netccitt/llc_subr.c
index 7bfbb9a4d8dc..862ca35d2e6b 100644
--- a/sys/netccitt/llc_subr.c
+++ b/sys/netccitt/llc_subr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: llc_subr.c,v 1.23 2006/03/17 23:29:10 christos Exp $	*/
+/*	$NetBSD: llc_subr.c,v 1.24 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -76,7 +76,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: llc_subr.c,v 1.23 2006/03/17 23:29:10 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: llc_subr.c,v 1.24 2006/05/14 21:19:34 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
diff --git a/sys/netccitt/pk_acct.c b/sys/netccitt/pk_acct.c
index 9ba2b70d41f7..e894f0c44c64 100644
--- a/sys/netccitt/pk_acct.c
+++ b/sys/netccitt/pk_acct.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: pk_acct.c,v 1.21 2005/12/11 12:24:54 christos Exp $	*/
+/*	$NetBSD: pk_acct.c,v 1.22 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (c) 1990, 1993
@@ -74,7 +74,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pk_acct.c,v 1.21 2005/12/11 12:24:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pk_acct.c,v 1.22 2006/05/14 21:19:34 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -85,6 +85,7 @@ __KERNEL_RCSID(0, "$NetBSD: pk_acct.c,v 1.21 2005/12/11 12:24:54 christos Exp $"
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 
@@ -125,7 +126,7 @@ pk_accton(path)
 	if (oacctp) {
 	close:
 		p = l->l_proc;
-		error = vn_close (oacctp, FWRITE, p->p_ucred, l);
+		error = vn_close (oacctp, FWRITE, p->p_cred, l);
 	}
 	return (error);
 }
@@ -159,7 +160,7 @@ pk_acct(lcp)
 		acbuf.x25acct_revcharge = 1;
 	acbuf.x25acct_stime = lcp -> lcd_stime;
 	acbuf.x25acct_etime = time.tv_sec - acbuf.x25acct_stime;
-	acbuf.x25acct_uid = curproc -> p_cred -> p_ruid;
+	acbuf.x25acct_uid = kauth_cred_getuid(curproc->p_cred);
 	acbuf.x25acct_psize = sa -> x25_opts.op_psize;
 	acbuf.x25acct_net = sa -> x25_net;
 	/*
@@ -181,6 +182,6 @@ pk_acct(lcp)
 
 	(void) vn_rdwr(UIO_WRITE, vp, (caddr_t)&acbuf, sizeof (acbuf),
 		(off_t)0, UIO_SYSSPACE, IO_UNIT|IO_APPEND,
-		curproc -> p_ucred, (size_t *)0,
+		curproc -> p_cred, (size_t *)0,
 		NULL);
 }
diff --git a/sys/netccitt/pk_usrreq.c b/sys/netccitt/pk_usrreq.c
index 9cd0aec29b06..744b2dcf1e3f 100644
--- a/sys/netccitt/pk_usrreq.c
+++ b/sys/netccitt/pk_usrreq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: pk_usrreq.c,v 1.27 2005/12/11 12:24:54 christos Exp $	*/
+/*	$NetBSD: pk_usrreq.c,v 1.28 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (c) 1991, 1992, 1993
@@ -78,7 +78,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pk_usrreq.c,v 1.27 2005/12/11 12:24:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pk_usrreq.c,v 1.28 2006/05/14 21:19:34 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -90,6 +90,7 @@ __KERNEL_RCSID(0, "$NetBSD: pk_usrreq.c,v 1.27 2005/12/11 12:24:54 christos Exp
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -414,7 +415,9 @@ pk_control(so, cmd, data, ifp, p)
 		return (0);
 
 	case SIOCSIFCONF_X25:
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag)))
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+							 KAUTH_GENERIC_ISSUSER,
+							 &p->p_acflag)))
 			return (EPERM);
 		if (ifp == 0)
 			panic("pk_control");
@@ -493,7 +496,8 @@ pk_ctloutput(cmd, so, level, optname, mp)
 			return (0);
 
 		case PK_ACCTFILE:
-			if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag)))
+			if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+						KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 				error = EPERM;
 			else if (m->m_len)
 				error = pk_accton(mtod(m, char *));
diff --git a/sys/netinet/in.c b/sys/netinet/in.c
index 9fd0e4ea5f3f..26a81eec3947 100644
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: in.c,v 1.107 2006/05/10 21:53:18 mrg Exp $	*/
+/*	$NetBSD: in.c,v 1.108 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -98,7 +98,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.107 2006/05/10 21:53:18 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.108 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_inet_conf.h"
@@ -114,6 +114,7 @@ __KERNEL_RCSID(0, "$NetBSD: in.c,v 1.107 2006/05/10 21:53:18 mrg Exp $");
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/syslog.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -320,7 +321,8 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
 	switch (cmd) {
 	case SIOCALIFADDR:
 	case SIOCDLIFADDR:
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag)))
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+					KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 			return (EPERM);
 		/*fall through*/
 	case SIOCGLIFADDR:
@@ -375,7 +377,8 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
 		    (cmd == SIOCSIFNETMASK || cmd == SIOCSIFDSTADDR))
 			return (EADDRNOTAVAIL);
 
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag)))
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+						KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 			return (EPERM);
 
 		if (ia == 0) {
@@ -404,7 +407,8 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
 		break;
 
 	case SIOCSIFBRDADDR:
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag)))
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+					KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 			return (EPERM);
 		/* FALLTHROUGH */
 
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 9f431965ae11..3dcb329294b2 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: in_pcb.c,v 1.101 2005/11/15 18:39:46 dsl Exp $	*/
+/*	$NetBSD: in_pcb.c,v 1.102 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -98,7 +98,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.101 2005/11/15 18:39:46 dsl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.102 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -115,6 +115,7 @@ __KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.101 2005/11/15 18:39:46 dsl Exp $");
 #include <sys/time.h>
 #include <sys/pool.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -266,7 +267,7 @@ in_pcbbind(void *v, struct mbuf *nam, struct proc *p)
 #ifndef IPNOPRIVPORTS
 		/* GROSS */
 		if (ntohs(lport) < IPPORT_RESERVED &&
-		    (p == 0 || suser(p->p_ucred, &p->p_acflag)))
+		    (p == 0 || kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 			return (EACCES);
 #endif
 #ifdef INET6
@@ -307,7 +308,8 @@ noname:
 
 		if (inp->inp_flags & INP_LOWPORT) {
 #ifndef IPNOPRIVPORTS
-			if (p == 0 || suser(p->p_ucred, &p->p_acflag))
+			if (p == 0 || kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+							&p->p_acflag))
 				return (EACCES);
 #endif
 			mymin = lowportmin;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index b8c6aa872211..8da9add25563 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_output.c,v 1.160 2006/02/23 01:35:19 christos Exp $	*/
+/*	$NetBSD: ip_output.c,v 1.161 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -98,7 +98,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.160 2006/02/23 01:35:19 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.161 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_pfil_hooks.h"
 #include "opt_inet.h"
@@ -1372,7 +1372,8 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 			int priv = 0;
 
 #ifdef __NetBSD__
-			if (p == 0 || suser(p->p_ucred, &p->p_acflag))
+			if (p == 0 || kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+							&p->p_acflag))
 				priv = 0;
 			else
 				priv = 1;
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 17983da4dc2c..600729bcdcd4 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip.c,v 1.88 2005/12/11 12:24:57 christos Exp $	*/
+/*	$NetBSD: raw_ip.c,v 1.89 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.88 2005/12/11 12:24:57 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.89 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -77,6 +77,7 @@ __KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.88 2005/12/11 12:24:57 christos Exp $")
 #include <sys/errno.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -542,7 +543,8 @@ rip_usrreq(struct socket *so, int req,
 			error = EISCONN;
 			break;
 		}
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag))) {
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+						KAUTH_GENERIC_ISSUSER, &p->p_acflag))) {
 			error = EACCES;
 			break;
 		}
diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c
index 2c215f21222e..3267f7459bb1 100644
--- a/sys/netinet/tcp_timer.c
+++ b/sys/netinet/tcp_timer.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_timer.c,v 1.74 2006/04/15 02:33:41 christos Exp $	*/
+/*	$NetBSD: tcp_timer.c,v 1.75 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -100,7 +100,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.74 2006/04/15 02:33:41 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.75 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_tcp_debug.h"
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index c6df2a934873..c1117e6e3da8 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_usrreq.c,v 1.116 2006/04/15 00:29:25 christos Exp $	*/
+/*	$NetBSD: tcp_usrreq.c,v 1.117 2006/05/14 21:19:34 elad Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -100,7 +100,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.116 2006/04/15 00:29:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.117 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -120,6 +120,7 @@ __KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.116 2006/04/15 00:29:25 christos Ex
 #include <sys/proc.h>
 #include <sys/domain.h>
 #include <sys/sysctl.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -1256,8 +1257,8 @@ sysctl_inpcblist(SYSCTLFN_ARGS)
 		if (inph->inph_af != pf)
 			continue;
 
-		if (CURTAIN(l->l_proc->p_ucred->cr_uid,
-			    inph->inph_socket->so_uidinfo->ui_uid))
+		if (CURTAIN(kauth_cred_getuid(l->l_proc->p_cred),
+			    inph->inph_socket->so_uidinfo->ui_uid)) /* XXX elad */
 			continue;
 
 		memset(&pcb, 0, sizeof(pcb));
diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index b72d5f93fbb1..bebc2297d056 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: in6.c,v 1.101 2006/03/17 23:29:20 rpaulo Exp $	*/
+/*	$NetBSD: in6.c,v 1.102 2006/05/14 21:19:34 elad Exp $	*/
 /*	$KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.101 2006/03/17 23:29:20 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.102 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_pfil_hooks.h"
@@ -79,6 +79,7 @@ __KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.101 2006/03/17 23:29:20 rpaulo Exp $");
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/syslog.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -335,7 +336,7 @@ in6_control(so, cmd, data, ifp, p)
 	int error, privileged;
 
 	privileged = 0;
-	if (p && !suser(p->p_ucred, &p->p_acflag))
+	if (p && !kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag))
 		privileged++;
 
 	switch (cmd) {
diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 91c7bb4e18c3..e1ffa97c6cc8 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: in6_pcb.c,v 1.70 2006/05/05 00:03:22 rpaulo Exp $	*/
+/*	$NetBSD: in6_pcb.c,v 1.71 2006/05/14 21:19:34 elad Exp $	*/
 /*	$KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.70 2006/05/05 00:03:22 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.71 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -78,6 +78,7 @@ __KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.70 2006/05/05 00:03:22 rpaulo Exp $");
 #include <sys/errno.h>
 #include <sys/time.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -283,7 +284,8 @@ in6_pcbbind(v, nam, p)
 			 * NOTE: all operating systems use suser() for
 			 * privilege check!  do not rewrite it into SS_PRIV.
 			 */
-			priv = (p && !suser(p->p_ucred, &p->p_acflag)) ? 1 : 0;
+			priv = (p && !kauth_authorize_generic(p->p_cred,
+					KAUTH_GENERIC_ISSUSER, &p->p_acflag)) ? 1 : 0;
 			/* GROSS */
 			if (ntohs(lport) < IPV6PORT_RESERVED && !priv)
 				return (EACCES);
diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c
index ccd9ae7fb91a..cac709c4283d 100644
--- a/sys/netinet6/in6_src.c
+++ b/sys/netinet6/in6_src.c
@@ -65,7 +65,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.25 2006/05/05 00:03:22 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.26 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 
@@ -88,6 +88,7 @@ __KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.25 2006/05/05 00:03:22 rpaulo Exp $");
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -900,7 +901,8 @@ in6_pcbsetport(laddr, in6p, p)
 
 	if (in6p->in6p_flags & IN6P_LOWPORT) {
 #ifndef IPNOPRIVPORTS
-		if (p == 0 || (suser(p->p_ucred, &p->p_acflag) != 0))
+		if (p == 0 || (kauth_authorize_generic(p->p_cred,
+					KAUTH_GENERIC_ISSUSER, &p->p_acflag) != 0))
 			return (EACCES);
 #endif
 		minport = ip6_lowportmin;
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index f269f8f7d66a..6332b1cea638 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_output.c,v 1.97 2006/05/05 00:03:22 rpaulo Exp $	*/
+/*	$NetBSD: ip6_output.c,v 1.98 2006/05/14 21:19:34 elad Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.97 2006/05/05 00:03:22 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.98 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
@@ -78,6 +78,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.97 2006/05/05 00:03:22 rpaulo Exp $
 #include <sys/socketvar.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -1410,7 +1411,7 @@ ip6_ctloutput(op, so, level, optname, mp)
 
 	optlen = m ? m->m_len : 0;
 	error = optval = 0;
-	privileged = (p == 0 || suser(p->p_ucred, &p->p_acflag)) ? 0 : 1;
+	privileged = (p == 0 || kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)) ? 0 : 1;
 	uproto = (int)so->so_proto->pr_protocol;
 
 	if (level == IPPROTO_IPV6) {
@@ -2127,7 +2128,7 @@ ip6_pcbopts(pktopt, m, so)
 	}
 
 	/*  set options specified by user. */
-	if (p && !suser(p->p_ucred, &p->p_acflag))
+	if (p && !kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag))
 		priv = 1;
 	if ((error = ip6_setpktopts(m, opt, NULL, priv,
 	    so->so_proto->pr_protocol)) != 0) {
@@ -2514,7 +2515,7 @@ ip6_setmoptions(optname, im6op, m)
 			 * all multicast addresses. Only super user is allowed
 			 * to do this.
 			 */
-			if (suser(p->p_ucred, &p->p_acflag))
+			if (kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag))
 			{
 				error = EACCES;
 				break;
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 8e1051e6646d..1fee7e441da4 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.76 2006/05/05 00:03:22 rpaulo Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.77 2006/05/14 21:19:34 elad Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.76 2006/05/05 00:03:22 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.77 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_ipsec.h"
 
@@ -76,6 +76,7 @@ __KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.76 2006/05/05 00:03:22 rpaulo Exp $");
 #include <sys/errno.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -399,7 +400,9 @@ rip6_output(m, va_alist)
 	in6p = sotoin6pcb(so);
 
 	priv = 0;
-	if (curproc && !suser(curproc->p_ucred, &curproc->p_acflag))
+	if (curproc && !kauth_authorize_generic(curproc->p_cred,
+					  KAUTH_GENERIC_ISSUSER,
+					  &curproc->p_acflag))
 		priv = 1;
 
 	dst = &dstsock->sin6_addr;
@@ -613,7 +616,7 @@ rip6_usrreq(so, req, m, nam, control, l)
 
 	priv = 0;
 	p = l ? l->l_proc : NULL;
-	if (p && !suser(p->p_ucred, &p->p_acflag))
+	if (p && !kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag))
 		priv++;
 
 	if (req == PRU_CONTROL)
diff --git a/sys/netinet6/udp6_output.c b/sys/netinet6/udp6_output.c
index 7cf828a977c4..d0962062375d 100644
--- a/sys/netinet6/udp6_output.c
+++ b/sys/netinet6/udp6_output.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp6_output.c,v 1.24 2006/05/05 00:03:22 rpaulo Exp $	*/
+/*	$NetBSD: udp6_output.c,v 1.25 2006/05/14 21:19:34 elad Exp $	*/
 /*	$KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.24 2006/05/05 00:03:22 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.25 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 
@@ -77,6 +77,7 @@ __KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.24 2006/05/05 00:03:22 rpaulo Exp
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/syslog.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -136,7 +137,7 @@ udp6_output(in6p, m, addr6, control, p)
 	struct sockaddr_in6 tmp;
 
 	priv = 0;
-	if (p && !suser(p->p_ucred, &p->p_acflag))
+	if (p && !kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag))
 		priv = 1;
 
 	if (addr6) {
diff --git a/sys/netipsec/ipsec_netbsd.c b/sys/netipsec/ipsec_netbsd.c
index ee4955d1287f..6830f5b5b50c 100644
--- a/sys/netipsec/ipsec_netbsd.c
+++ b/sys/netipsec/ipsec_netbsd.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_netbsd.c,v 1.16 2006/04/11 20:21:28 rpaulo Exp $	*/
+/*	$NetBSD: ipsec_netbsd.c,v 1.17 2006/05/14 21:19:34 elad Exp $	*/
 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.16 2006/04/11 20:21:28 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.17 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
diff --git a/sys/netisdn/i4b_ipr.c b/sys/netisdn/i4b_ipr.c
index bea3bcbd60c7..2cc35077c801 100644
--- a/sys/netisdn/i4b_ipr.c
+++ b/sys/netisdn/i4b_ipr.c
@@ -27,7 +27,7 @@
  *	i4b_ipr.c - isdn4bsd IP over raw HDLC ISDN network driver
  *	---------------------------------------------------------
  *
- *	$Id: i4b_ipr.c,v 1.19 2005/12/11 12:25:06 christos Exp $
+ *	$Id: i4b_ipr.c,v 1.20 2006/05/14 21:19:34 elad Exp $
  *
  * $FreeBSD$
  *
@@ -59,7 +59,7 @@
  *---------------------------------------------------------------------------*/
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: i4b_ipr.c,v 1.19 2005/12/11 12:25:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i4b_ipr.c,v 1.20 2006/05/14 21:19:34 elad Exp $");
 
 #include "irip.h"
 #include "opt_irip.h"
@@ -641,7 +641,9 @@ iripioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 #if defined(__FreeBSD_version) && __FreeBSD_version >= 400005
 			if((error = suser(p)) != 0)
 #else
-			if((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+			if((error = kauth_authorize_generic(p->p_cred,
+						      KAUTH_GENERIC_ISSUSER,
+						      &p->p_acflag)) != 0)
 #endif
 				break;
 		        sl_compress_setup(sc->sc_compr, *(int *)data);
diff --git a/sys/netiso/esis.c b/sys/netiso/esis.c
index 7a5c798e2a79..39f649d9f848 100644
--- a/sys/netiso/esis.c
+++ b/sys/netiso/esis.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: esis.c,v 1.35 2005/12/11 12:25:12 christos Exp $	*/
+/*	$NetBSD: esis.c,v 1.36 2006/05/14 21:19:34 elad Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -59,7 +59,7 @@ SOFTWARE.
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: esis.c,v 1.35 2005/12/11 12:25:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esis.c,v 1.36 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_iso.h"
 #ifdef ISO
@@ -75,6 +75,7 @@ __KERNEL_RCSID(0, "$NetBSD: esis.c,v 1.35 2005/12/11 12:25:12 christos Exp $");
 #include <sys/errno.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_dl.h>
@@ -194,7 +195,9 @@ esis_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 			error = EISCONN;
 			break;
 		}
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag))) {
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+							 KAUTH_GENERIC_ISSUSER,
+							 &p->p_acflag))) {
 			error = EACCES;
 			break;
 		}
diff --git a/sys/netiso/iso.c b/sys/netiso/iso.c
index 0b2e45fa2323..00640f3790bb 100644
--- a/sys/netiso/iso.c
+++ b/sys/netiso/iso.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: iso.c,v 1.36 2005/12/11 12:25:12 christos Exp $	*/
+/*	$NetBSD: iso.c,v 1.37 2006/05/14 21:19:34 elad Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -62,7 +62,7 @@ SOFTWARE.
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: iso.c,v 1.36 2005/12/11 12:25:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: iso.c,v 1.37 2006/05/14 21:19:34 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -74,6 +74,7 @@ __KERNEL_RCSID(0, "$NetBSD: iso.c,v 1.36 2005/12/11 12:25:12 christos Exp $");
 #include <sys/socketvar.h>
 #include <sys/errno.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -476,7 +477,9 @@ iso_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
 	case SIOCSIFNETMASK:
 	case SIOCSIFDSTADDR:
 #endif
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag)))
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+							 KAUTH_GENERIC_ISSUSER,
+							 &p->p_acflag)))
 			return (EPERM);
 
 		if (ifp == 0)
diff --git a/sys/netiso/iso_pcb.c b/sys/netiso/iso_pcb.c
index a5cab83b7b57..019d0dabaf7a 100644
--- a/sys/netiso/iso_pcb.c
+++ b/sys/netiso/iso_pcb.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: iso_pcb.c,v 1.28 2005/11/16 20:44:19 dsl Exp $	*/
+/*	$NetBSD: iso_pcb.c,v 1.29 2006/05/14 21:19:34 elad Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -62,7 +62,7 @@ SOFTWARE.
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: iso_pcb.c,v 1.28 2005/11/16 20:44:19 dsl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: iso_pcb.c,v 1.29 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_iso.h"
 
@@ -75,6 +75,7 @@ __KERNEL_RCSID(0, "$NetBSD: iso_pcb.c,v 1.28 2005/11/16 20:44:19 dsl Exp $");
 #include <sys/socketvar.h>
 #include <sys/errno.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <netiso/argo_debug.h>
 #include <netiso/iso.h>
@@ -229,7 +230,7 @@ iso_pcbbind(void *v, struct mbuf *nam, struct proc *p)
 		bcopy(TSEL(siso), suf.data, sizeof(suf.data));
 		suf.s = ntohs(suf.s);
 		if (suf.s < ISO_PORT_RESERVED &&
-		    (p == 0 || suser(p->p_ucred, &p->p_acflag)))
+		    (p == 0 || kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag)))
 			return EACCES;
 	} else {
 		char  *cp;
diff --git a/sys/netiso/iso_snpac.c b/sys/netiso/iso_snpac.c
index a5bf55521a62..547e4c1fae99 100644
--- a/sys/netiso/iso_snpac.c
+++ b/sys/netiso/iso_snpac.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: iso_snpac.c,v 1.34 2005/12/11 12:25:12 christos Exp $	*/
+/*	$NetBSD: iso_snpac.c,v 1.35 2006/05/14 21:19:34 elad Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -59,7 +59,7 @@ SOFTWARE.
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: iso_snpac.c,v 1.34 2005/12/11 12:25:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: iso_snpac.c,v 1.35 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_iso.h"
 #ifdef ISO
@@ -76,6 +76,7 @@ __KERNEL_RCSID(0, "$NetBSD: iso_snpac.c,v 1.34 2005/12/11 12:25:12 christos Exp
 #include <sys/ioctl.h>
 #include <sys/syslog.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_dl.h>
@@ -529,7 +530,7 @@ snpac_ioctl(
 #endif
 
 	if (cmd == SIOCSSTYPE) {
-		if (p == 0 || suser(p->p_ucred, &p->p_acflag))
+		if (p == 0 || kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER, &p->p_acflag))
 			return (EPERM);
 		if ((rq->sr_type & (SNPA_ES | SNPA_IS)) == (SNPA_ES | SNPA_IS))
 			return (EINVAL);
diff --git a/sys/netiso/tp_output.c b/sys/netiso/tp_output.c
index e80e111754f0..99b5c6f51d2e 100644
--- a/sys/netiso/tp_output.c
+++ b/sys/netiso/tp_output.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: tp_output.c,v 1.28 2006/04/14 23:56:20 christos Exp $	*/
+/*	$NetBSD: tp_output.c,v 1.29 2006/05/14 21:19:34 elad Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -62,7 +62,7 @@ SOFTWARE.
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tp_output.c,v 1.28 2006/04/14 23:56:20 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tp_output.c,v 1.29 2006/05/14 21:19:34 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_iso.h"
@@ -77,6 +77,7 @@ __KERNEL_RCSID(0, "$NetBSD: tp_output.c,v 1.28 2006/04/14 23:56:20 christos Exp
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <netiso/tp_param.h>
 #include <netiso/tp_var.h>
@@ -500,7 +501,8 @@ tp_ctloutput(int cmd, struct socket  *so, int level, int optname,
 #define INA(t) (((struct inpcb *)(t->tp_npcb))->inp_laddr.s_addr)
 #define ISOA(t) (((struct isopcb *)(t->tp_npcb))->isop_laddr->siso_addr)
 
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag))) {
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+							 &p->p_acflag))) {
 			error = EPERM;
 		} else if (cmd != PRCO_SETOPT || tpcb->tp_state != TP_CLOSED ||
 			   (tpcb->tp_flags & TPF_GENERAL_ADDR) ||
diff --git a/sys/netns/idp_usrreq.c b/sys/netns/idp_usrreq.c
index a43fbae212ce..3879908449bf 100644
--- a/sys/netns/idp_usrreq.c
+++ b/sys/netns/idp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: idp_usrreq.c,v 1.26 2006/04/14 23:25:46 christos Exp $	*/
+/*	$NetBSD: idp_usrreq.c,v 1.27 2006/05/14 21:20:13 elad Exp $	*/
 
 /*
  * Copyright (c) 1984, 1985, 1986, 1987, 1993
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: idp_usrreq.c,v 1.26 2006/04/14 23:25:46 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: idp_usrreq.c,v 1.27 2006/05/14 21:20:13 elad Exp $");
 
 #include "opt_ns.h"			/* NSIP: Xerox NS over IP */
 
@@ -46,6 +46,7 @@ __KERNEL_RCSID(0, "$NetBSD: idp_usrreq.c,v 1.26 2006/04/14 23:25:46 christos Exp
 #include <sys/errno.h>
 #include <sys/stat.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -497,7 +498,8 @@ idp_raw_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 			error = EISCONN;
 			break;
 		}
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag))) {
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred, KAUTH_GENERIC_ISSUSER,
+							 &p->p_acflag))) {
 			error = EACCES;
 			break;
 		}
diff --git a/sys/netns/ns.c b/sys/netns/ns.c
index 0799b8ae8e6c..7184045f2c41 100644
--- a/sys/netns/ns.c
+++ b/sys/netns/ns.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ns.c,v 1.28 2005/12/11 12:25:16 christos Exp $	*/
+/*	$NetBSD: ns.c,v 1.29 2006/05/14 21:20:13 elad Exp $	*/
 
 /*
  * Copyright (c) 1984, 1985, 1986, 1987, 1993
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ns.c,v 1.28 2005/12/11 12:25:16 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ns.c,v 1.29 2006/05/14 21:20:13 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -43,6 +43,7 @@ __KERNEL_RCSID(0, "$NetBSD: ns.c,v 1.28 2005/12/11 12:25:16 christos Exp $");
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -91,7 +92,9 @@ ns_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
 		/* FALLTHROUGH */
 	case SIOCSIFADDR:
 	case SIOCSIFDSTADDR:
-		if (p == 0 || (error = suser(p->p_ucred, &p->p_acflag)))
+		if (p == 0 || (error = kauth_authorize_generic(p->p_cred,
+							 KAUTH_GENERIC_ISSUSER,
+							 &p->p_acflag)))
 			return (EPERM);
 
 		if (ifp == 0)
diff --git a/sys/netns/ns_pcb.c b/sys/netns/ns_pcb.c
index a02908cdfc73..08718693a0f6 100644
--- a/sys/netns/ns_pcb.c
+++ b/sys/netns/ns_pcb.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ns_pcb.c,v 1.24 2005/12/11 12:25:16 christos Exp $	*/
+/*	$NetBSD: ns_pcb.c,v 1.25 2006/05/14 21:20:13 elad Exp $	*/
 
 /*
  * Copyright (c) 1984, 1985, 1986, 1987, 1993
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ns_pcb.c,v 1.24 2005/12/11 12:25:16 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ns_pcb.c,v 1.25 2006/05/14 21:20:13 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -42,6 +42,7 @@ __KERNEL_RCSID(0, "$NetBSD: ns_pcb.c,v 1.24 2005/12/11 12:25:16 christos Exp $")
 #include <sys/socketvar.h>
 #include <sys/protosw.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -92,7 +93,9 @@ ns_pcbbind(struct nspcb *nsp, struct mbuf *nam, struct proc *p)
 	if (lport) {
 
 		if (ntohs(lport) < NSPORT_RESERVED &&
-		    (p == 0 || suser(p->p_ucred, &p->p_acflag)))
+		    (p == 0 || kauth_authorize_generic(p->p_cred,
+						 KAUTH_GENERIC_ISSUSER,
+						 &p->p_acflag)))
 			return (EACCES);
 		if (ns_pcblookup(&zerons_addr, lport, 0))
 			return (EADDRINUSE);
diff --git a/sys/netsmb/smb_conn.c b/sys/netsmb/smb_conn.c
index b3d321a7db5e..a5fd8675f7d7 100644
--- a/sys/netsmb/smb_conn.c
+++ b/sys/netsmb/smb_conn.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_conn.c,v 1.19 2005/12/11 12:25:16 christos Exp $	*/
+/*	$NetBSD: smb_conn.c,v 1.20 2006/05/14 21:20:13 elad Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: smb_conn.c,v 1.19 2005/12/11 12:25:16 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_conn.c,v 1.20 2006/05/14 21:20:13 elad Exp $");
 
 /*
  * Connection engine.
@@ -49,6 +49,7 @@ __KERNEL_RCSID(0, "$NetBSD: smb_conn.c,v 1.19 2005/12/11 12:25:16 christos Exp $
 #include <sys/lock.h>
 #include <sys/sysctl.h>
 #include <sys/mbuf.h>		/* for M_SONAME */
+#include <sys/kauth.h>
 
 #include <netsmb/iconv.h>
 
@@ -382,20 +383,24 @@ smb_vc_create(struct smb_vcspec *vcspec,
 	struct smb_cred *scred, struct smb_vc **vcpp)
 {
 	struct smb_vc *vcp;
-	struct ucred *cred = scred->scr_cred;
+	kauth_cred_t cred = scred->scr_cred;
 	uid_t uid = vcspec->owner;
 	gid_t gid = vcspec->group;
-	uid_t realuid = cred->cr_uid;
+	uid_t realuid;
 	char *domain = vcspec->domain;
-	int error, isroot;
+	int error, isroot, ismember = 0;
 
+	realuid = kauth_cred_geteuid(cred);
 	isroot = (smb_suser(cred) == 0);
 	/*
 	 * Only superuser can create VCs with different uid and gid
 	 */
 	if (uid != SMBM_ANY_OWNER && uid != realuid && !isroot)
 		return EPERM;
-	if (gid != SMBM_ANY_GROUP && !groupmember(gid, cred) && !isroot)
+
+	if (gid != SMBM_ANY_GROUP &&
+	    (kauth_cred_ismember_gid(cred, gid, &ismember) != 0 || !ismember) &&
+	    !isroot)
 		return EPERM;
 
 	vcp = smb_zmalloc(sizeof(*vcp), M_SMBCONN, M_WAITOK);
@@ -411,7 +416,7 @@ smb_vc_create(struct smb_vcspec *vcspec,
 	if (uid == SMBM_ANY_OWNER)
 		uid = realuid;
 	if (gid == SMBM_ANY_GROUP)
-		gid = cred->cr_groups[0];
+		gid = kauth_cred_group(cred, 0);
 	vcp->vc_uid = uid;
 	vcp->vc_grp = gid;
 
@@ -544,12 +549,14 @@ smb_vc_unlock(struct smb_vc *vcp, int flags)
 int
 smb_vc_access(struct smb_vc *vcp, struct smb_cred *scred, mode_t mode)
 {
-	struct ucred *cred = scred->scr_cred;
+	kauth_cred_t cred = scred->scr_cred;
+	int ismember = 0;
 
-	if (smb_suser(cred) == 0 || cred->cr_uid == vcp->vc_uid)
+	if (smb_suser(cred) == 0 || kauth_cred_geteuid(cred) == vcp->vc_uid)
 		return 0;
 	mode >>= 3;
-	if (!groupmember(vcp->vc_grp, cred))
+	if (kauth_cred_ismember_gid(cred, vcp->vc_grp, &ismember) != 0 ||
+	    !ismember)
 		mode >>= 3;
 	return (vcp->vc_mode & mode) == mode ? 0 : EACCES;
 }
@@ -687,19 +694,22 @@ smb_share_create(struct smb_vc *vcp, struct smb_sharespec *shspec,
 	struct smb_cred *scred, struct smb_share **sspp)
 {
 	struct smb_share *ssp;
-	struct ucred *cred = scred->scr_cred;
-	uid_t realuid = cred->cr_uid;
+	kauth_cred_t cred = scred->scr_cred;
+	uid_t realuid;
 	uid_t uid = shspec->owner;
 	gid_t gid = shspec->group;
-	int error, isroot;
+	int error, isroot, ismember = 0;
 
+	realuid = kauth_cred_geteuid(cred);
 	isroot = smb_suser(cred) == 0;
 	/*
 	 * Only superuser can create shares with different uid and gid
 	 */
 	if (uid != SMBM_ANY_OWNER && uid != realuid && !isroot)
 		return EPERM;
-	if (gid != SMBM_ANY_GROUP && !groupmember(gid, cred) && !isroot)
+	if (gid != SMBM_ANY_GROUP &&
+	    (kauth_cred_ismember_gid(cred, gid, &ismember) != 0 || !ismember) &&
+	    !isroot)
 		return EPERM;
 	error = smb_vc_lookupshare(vcp, shspec, scred, &ssp);
 	if (!error) {
@@ -709,7 +719,7 @@ smb_share_create(struct smb_vc *vcp, struct smb_sharespec *shspec,
 	if (uid == SMBM_ANY_OWNER)
 		uid = realuid;
 	if (gid == SMBM_ANY_GROUP)
-		gid = cred->cr_groups[0];
+		gid = kauth_cred_group(cred, 0);
 	ssp = smb_zmalloc(sizeof(*ssp), M_SMBCONN, M_WAITOK);
 	smb_co_init(SSTOCP(ssp), SMBL_SHARE, "smbss");
 	ssp->obj.co_free = smb_share_free;
@@ -787,12 +797,14 @@ smb_share_unlock(struct smb_share *ssp, int flags)
 int
 smb_share_access(struct smb_share *ssp, struct smb_cred *scred, mode_t mode)
 {
-	struct ucred *cred = scred->scr_cred;
+	kauth_cred_t cred = scred->scr_cred;
+	int ismember = 0;
 
-	if (smb_suser(cred) == 0 || cred->cr_uid == ssp->ss_uid)
+	if (smb_suser(cred) == 0 || kauth_cred_geteuid(cred) == ssp->ss_uid)
 		return 0;
 	mode >>= 3;
-	if (!groupmember(ssp->ss_grp, cred))
+	if (kauth_cred_ismember_gid(cred, ssp->ss_grp, &ismember) != 0 ||
+	    !ismember)
 		mode >>= 3;
 	return (ssp->ss_mode & mode) == mode ? 0 : EACCES;
 }
@@ -849,7 +861,7 @@ smb_sysctl_treedump(SYSCTL_HANDLER_ARGS)
 	struct smb_share_info ssi;
 	int error, itype;
 
-	smb_makescred(&scred, td, td->td_proc->p_ucred);
+	smb_makescred(&scred, td, td->td_proc->p_cred);
 	error = smb_sm_lockvclist(LK_SHARED);
 	if (error)
 		return error;
diff --git a/sys/netsmb/smb_dev.h b/sys/netsmb/smb_dev.h
index 3b028a712e55..9f3e45ab818a 100644
--- a/sys/netsmb/smb_dev.h
+++ b/sys/netsmb/smb_dev.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_dev.h,v 1.5 2005/12/11 06:25:32 christos Exp $	*/
+/*	$NetBSD: smb_dev.h,v 1.6 2006/05/14 21:20:13 elad Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -172,7 +172,7 @@ struct smb_dev {
 	struct selinfo	sd_pollinfo;
 	struct smbrqh	sd_rqlist;
 	struct smbrqh	sd_rplist;
-	struct ucred 	*sd_owner;*/
+	kauth_cred_t	sd_owner;*/
 	int		sd_flags;
 };
 
diff --git a/sys/netsmb/smb_subr.c b/sys/netsmb/smb_subr.c
index 9e22c3fadf89..42b497acef0a 100644
--- a/sys/netsmb/smb_subr.c
+++ b/sys/netsmb/smb_subr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.c,v 1.25 2006/04/12 01:17:41 christos Exp $	*/
+/*	$NetBSD: smb_subr.c,v 1.26 2006/05/14 21:20:13 elad Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.25 2006/04/12 01:17:41 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.26 2006/05/14 21:20:13 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -49,6 +49,7 @@ __KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.25 2006/04/12 01:17:41 christos Exp $
 #include <sys/signalvar.h>
 #include <sys/mbuf.h>
 #include <sys/socketvar.h>		/* for M_SONAME */
+#include <sys/kauth.h>
 
 #include <netsmb/iconv.h>
 
@@ -63,11 +64,11 @@ static MALLOC_DEFINE(M_SMBSTR, "smbstr", "SMB strings");
 MALLOC_DEFINE(M_SMBTEMP, "smbtemp", "Temp netsmb data");
 
 void
-smb_makescred(struct smb_cred *scred, struct lwp *l, struct ucred *cred)
+smb_makescred(struct smb_cred *scred, struct lwp *l, kauth_cred_t cred)
 {
 	if (l) {
 		scred->scr_l = l;
-		scred->scr_cred = cred ? cred : l->l_proc->p_ucred;
+		scred->scr_cred = cred ? cred : l->l_proc->p_cred;
 	} else {
 		scred->scr_l = NULL;
 		scred->scr_cred = cred ? cred : NULL;
diff --git a/sys/netsmb/smb_subr.h b/sys/netsmb/smb_subr.h
index a269588d8544..a4e641880868 100644
--- a/sys/netsmb/smb_subr.h
+++ b/sys/netsmb/smb_subr.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.h,v 1.14 2005/12/11 12:25:16 christos Exp $	*/
+/*	$NetBSD: smb_subr.h,v 1.15 2006/05/14 21:20:13 elad Exp $	*/
 
 /*
  * Copyright (c) 2000-2001, Boris Popov
@@ -72,7 +72,7 @@ void m_dumpm(struct mbuf *m);
 	 SIGISMEMBER(set, SIGHUP) || SIGISMEMBER(set, SIGKILL) ||	\
 	 SIGISMEMBER(set, SIGQUIT))
 
-#define	smb_suser(cred)	suser(cred, 0)
+#define	smb_suser(cred)	kauth_authorize_generic(cred, KAUTH_GENERIC_ISSUSER, NULL)
 
 /*
  * Compatibility wrappers for simple locks
@@ -95,7 +95,7 @@ typedef	smb_unichar	*smb_uniptr;
 struct smb_cred {
 	/* struct thread *	scr_td; */
 	struct lwp *	scr_l;
-	struct ucred *	scr_cred;
+	kauth_cred_t	scr_cred;
 };
 
 extern const smb_unichar smb_unieol;
@@ -104,7 +104,8 @@ struct mbchain;
 struct smb_vc;
 struct smb_rq;
 
-void smb_makescred(struct smb_cred *scred, struct lwp *l, struct ucred *cred);
+void smb_makescred(struct smb_cred *scred, struct lwp *l,
+    kauth_cred_t cred);
 int  smb_proc_intr(struct lwp *);
 char *smb_strdup(const char *s);
 char *smb_strdupin(char *s, int maxlen);