Make a move towards ending 4 decades of kernel snooping.

Add sysctl kern.allowkmem (default 0) which controls the ability to open
/dev/mem or /dev/kmem at securelevel > 0.  Over 15 years we converted 99%
of utilities in the tree to operate on sysctl-nodes (either by themselves
or via code hiding in the guts of -lkvm).

pstat -d and -v & procmap are affected and continued use of them will
require kern.allowkmem=1 in /etc/sysctl.conf.  acpidump (and it's
buddy sendbug) are affected, but we'll work out a solution soon.

There will be some impact in ports.

ok kettenis guenther

1 files changed, 9 insertions, 2 deletions

diff --git a/usr.sbin/acpidump/acpidump.8 b/usr.sbin/acpidump/acpidump.8
index 650c683acd1..ff8747898a2 100644
--- a/usr.sbin/acpidump/acpidump.8
+++ b/usr.sbin/acpidump/acpidump.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: acpidump.8,v 1.15 2014/03/13 21:14:08 brynet Exp $
+.\"	$OpenBSD: acpidump.8,v 1.16 2016/09/25 15:23:37 deraadt Exp $
 .\"
 .\" Copyright (c) 1999 Doug Rabson <dfr@FreeBSD.org>
 .\" Copyright (c) 2000 Mitsuru IWASAKI <iwasaki@FreeBSD.org>
@@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD: src/usr.sbin/acpi/acpidump/acpidump.8,v 1.9 2001/09/05 19:21:25 dd Exp $
 .\"
-.Dd $Mdocdate: March 13 2014 $
+.Dd $Mdocdate: September 25 2016 $
 .Dt ACPIDUMP 8
 .Os
 .Sh NAME
@@ -60,6 +60,13 @@ ports tree or package system:
 # pkg_add acpica
 $ iasl -d <prefix>.<sig>.<id>
 .Ed
+.Pp
+.Nm
+requires the ability to open
+.Pa /dev/kmem
+which may be restricted based upon the value of the
+.Ar kern.allowkmem
+.Xr sysctl 8 .
 .Sh FILES
 .Bl -tag -width /dev/mem
 .It Pa /dev/mem