Make a move towards ending 4 decades of kernel snooping.

Add sysctl kern.allowkmem (default 0) which controls the ability to open
/dev/mem or /dev/kmem at securelevel > 0.  Over 15 years we converted 99%
of utilities in the tree to operate on sysctl-nodes (either by themselves
or via code hiding in the guts of -lkvm).

pstat -d and -v & procmap are affected and continued use of them will
require kern.allowkmem=1 in /etc/sysctl.conf.  acpidump (and it's
buddy sendbug) are affected, but we'll work out a solution soon.

There will be some impact in ports.

ok kettenis guenther

1 files changed, 9 insertions, 2 deletions

diff --git a/usr.sbin/procmap/procmap.1 b/usr.sbin/procmap/procmap.1
index 850fb50be0a..c1edf188f83 100644
--- a/usr.sbin/procmap/procmap.1
+++ b/usr.sbin/procmap/procmap.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: procmap.1,v 1.21 2016/05/26 17:23:49 stefan Exp $
+.\"	$OpenBSD: procmap.1,v 1.22 2016/09/25 15:23:37 deraadt Exp $
 .\"	$NetBSD: pmap.1,v 1.6 2003/01/19 21:25:43 atatat Exp $
 .\"
 .\" Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 26 2016 $
+.Dd $Mdocdate: September 25 2016 $
 .Dt PROCMAP 1
 .Os
 .Sh NAME
@@ -53,6 +53,13 @@ address, the underlying file's device and inode numbers, and various
 protection information will be displayed, along with the path to the
 file, if such data is available.
 .Pp
+.Nm
+requires the ability to open
+.Pa /dev/kmem
+which may be restricted based upon the value of the
+.Ar kern.allowkmem
+.Xr sysctl 8 .
+.Pp
 By default,
 .Nm
 displays information for its parent process, so that when run from a