> I think the patch below is correct and allows the removal of some
> unnecessary (and somewhat obfuscatory) kauth requests.  Fundamentally,
> access to the i386 iopl must be assumed to be access to raw memory.
> 
> I didn't touch the machdep kauth requests for the get/set MTRR operations.
> But I would like to remove the kauth calls entirely, unless someone can
> explain to me how it's possible to alter the persistent state of the
> machine by tampering with MTRR entries.  I am aware that it's possible to
> easily crash the machine, but, of course, root can already do that with
> reboot()...

kauth is not dedicated to tcb or securelevel.

YAMAMOTO Takashi