[ moved from source-changes. ]

> > > - Always make p->p_cred a private copy before modifying.
> > > - Share credentials among processes when forking.
> > 
> > do you have a plan to add some locking?
> > "p->p_cred = kauth_cred_copy(p->p_cred);" is not safe
> > as kauth_cred_copy can sleep.
> 
> The change to per-LWP creds will solve this problem for the most part. I
> hope to make those changes in the next day or two.

consider a process which has lwpA and lwpB.
if lwpA does setuid while lwpB does setgid, one of their changes
can be overwritten.

i don't think lwp_broadcast_creds is a good idea, given the above problem.
it's better to just update process cred with appropriate locking,
and then call lwp_update_creds if necessary.

YAMAMOTO Takashi