> > kauth_authorize_device(cred, KAUTH_DEVICE_RAWIO, r/w/passthru, vp, some_data);
> > 
> > i wonder what's the status of devvp branch.
> 
> we can only do the above if we can gurantee the vp at all times... for
> now I think we should pass dev:
> 
> kauth_authorize_device(cred, KAUTH_DEVICE_RAWIO, r/w/passthru, dev,
>     some_data);
> 
> (and we note in the man-page listeners for that request should use
> iskmemdev())

seems fine to me.

> and, that allows us to make kauth_authorize_device_tty() a wrapper
> around that one, and not directly call kauth_authorize_action() if we
> want.

i'm not sure if it is counted as a benefit.

> attached new diff that removes the bvp/blkdev usage for usual cases
> and only uses them for veriexec.

seems reasonable.

YAMAMOTO Takashi