> attached is a diff that:
>   - removes 'enum kauth_machdep_req' and any use of it
> 
>   - moves requests a level up, making them all actions:
>       KAUTH_MACHDEP_IOPERM_GET
>       KAUTH_MACHDEP_IOPERM_SET
>       KAUTH_MACHDEP_IOPL
>       KAUTH_MACHDEP_LDT_GET
>       KAUTH_MACHDEP_LDT_SET
>       KAUTH_MACHDEP_MTRR_GET
>       KAUTH_MACHDEP_MTRR_SET
>       KAUTH_MACHDEP_UNMANAGEDMEM
> 
>   - converts sys/arch/* code to use the above.
> 
>   - adapts secmodel code to the changes, unifying the security policy
>     for them:
>       KAUTH_MACHDEP_IOPERM_GET - allow always
>       KAUTH_MACHDEP_IOPERM_SET - superuser, securelevel < 1 only
>       KAUTH_MACHDEP_IOPL - superuser, securelevel < 1 only
>       KAUTH_MACHDEP_LDT_GET - allow always (new action)
>       KAUTH_MACHDEP_LDT_SET - allow always (new action)
>       KAUTH_MACHDEP_MTRR_GET - allow always (*)
>       KAUTH_MACHDEP_MTRR_SET - superuser only
>       KAUTH_MACHDEP_UNMANAGEDMEM - superuser, securelevel < 0 only (*)
> 
> notes:
>   * amd64 code for netbsd32 emulation used to deny MTRR_GET for non-root
>     users. I assumed this was a copy/paste error, so the new policy
>     always allows MTRR_GET.
> 
>   * access to unmanaged memory was unified, to check both superuser and
>     securelevel. some ports (sun3, hp300, see my original message about
>     that) are still not checking either -- these are subject to future
>     work, shall we decide to adapt them to the said policy.
> 
> please review; if we'll be doing this, it should go to netbsd-4 too.
> 
> -e.

seems reasonable to me.

YAMAMOTO Takashi