Back out r261266 pending security buy-in.

  r261266:
  Add a jail parameter, allow.kmem, which lets jailed processes access
  /dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
  This in conjunction with changing the drm driver's permission check from
  PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.

1 files changed, 0 insertions, 11 deletions

diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index d5aa4d3..4a16e9a 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -573,17 +573,6 @@ with non-jailed parts of the system.
 Sockets within a jail are normally restricted to IPv4, IPv6, local
 (UNIX), and route.  This allows access to other protocol stacks that
 have not had jail functionality added to them.
-.It Va allow.kmem
-Jailed processes may access
-.Pa /dev/kmem
-and similar devices (e.g. io, dri) if they have sufficient permission
-(via the usual file permissions).
-Note that the device files must exist within the jail for this parameter
-to be of any use;
-the default devfs ruleset for jails does not include any such devices.
-Giving a jail access to kernel memory obviates much of the security that
-jails offer, but can still be useful for other purposes.
-For example, this would allow the Xorg server to run inside a jail.
 .El
 .El
 .Pp