Just like dt(4) or mem(4), ksyms(4) allows userland to read kernel addresses.
Diff below makes `allowkmem' a requirement for opening the pseudo-device. ok? Index: sys/dev/ksyms.c =================================================================== RCS file: /cvs/src/sys/dev/ksyms.c,v retrieving revision 1.32 diff -u -p -r1.32 ksyms.c --- sys/dev/ksyms.c 25 Jan 2019 00:19:26 -0000 1.32 +++ sys/dev/ksyms.c 22 Jan 2020 14:14:20 -0000 @@ -114,13 +114,14 @@ ksymsattach(int num) int ksymsopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; /* There are no non-zero minor devices */ if (minor(dev) != 0) return (ENXIO); /* This device is read-only */ - if ((flag & FWRITE)) + if ((flag & FWRITE) || !allowkmem) return (EPERM); /* ksym_syms must be initialized */ Index: share/man/man4/ksyms.4 =================================================================== RCS file: /cvs/src/share/man/man4/ksyms.4,v retrieving revision 1.14 diff -u -p -r1.14 ksyms.4 --- share/man/man4/ksyms.4 25 Jan 2019 00:19:26 -0000 1.14 +++ share/man/man4/ksyms.4 22 Jan 2020 14:14:57 -0000 @@ -63,7 +63,10 @@ An open of will fail if: .Bl -tag -width Er .It Bq Er EPERM -An open was attempted with write permissions. +An open was attempted with write permissions or the +.Va kern.allowkmem +.Xr sysctl 2 +is not set. .It Bq Er ENXIO No kernel symbols were saved by the boot loader (usually because they were removed with