Index: kern/init_sysctl.c
===================================================================
RCS file: /cvsroot/src/sys/kern/init_sysctl.c,v
retrieving revision 1.217
diff -u -u -r1.217 init_sysctl.c
--- kern/init_sysctl.c	16 Sep 2018 20:39:04 -0000	1.217
+++ kern/init_sysctl.c	5 Oct 2018 21:21:24 -0000
@@ -85,6 +85,8 @@
 int kern_has_sysvshm = 0;
 int kern_has_sysvsem = 0;
 
+int kern_expose_address = 0;
+
 static const u_int sysctl_lwpprflagmap[] = {
 	LPR_DETACHED, L_DETACHED,
 	0
@@ -127,6 +129,7 @@
 static int sysctl_kern_drivers(SYSCTLFN_PROTO);
 static int sysctl_security_setidcore(SYSCTLFN_PROTO);
 static int sysctl_security_setidcorename(SYSCTLFN_PROTO);
+static int sysctl_security_expose_address(SYSCTLFN_PROTO);
 static int sysctl_kern_cpid(SYSCTLFN_PROTO);
 static int sysctl_hw_usermem(SYSCTLFN_PROTO);
 static int sysctl_hw_cnmagic(SYSCTLFN_PROTO);
@@ -599,6 +602,12 @@
 			SYSCTL_DESCR("Kernel message verbosity"),
 			sysctl_kern_messages, 0, NULL, 0,
 			CTL_KERN, CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, NULL, NULL,
+			CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+			CTLTYPE_INT, "expose_address",
+			SYSCTL_DESCR("Expose kernel addresses to userland"),
+			sysctl_security_expose_address, 0, &kern_expose_address,
+			0, CTL_KERN, CTL_CREATE, CTL_EOL);
 }
 
 SYSCTL_SETUP(sysctl_hw_misc_setup, "sysctl hw subtree misc setup")
@@ -798,7 +807,7 @@
 	case AB_NORMAL:
 	default:
 		messageverbose = 2;
-}
+	}
 
 	node = *rnode;
 	node.sysctl_data = &messageverbose;
@@ -1340,6 +1349,37 @@
 }
 
 static int
+sysctl_security_expose_address(SYSCTLFN_ARGS)
+{
+	int expose_address, error;
+	struct sysctlnode node;
+
+	node = *rnode;
+	node.sysctl_data = &expose_address;
+	expose_address = *(int *)rnode->sysctl_data;
+	error = sysctl_lookup(SYSCTLFN_CALL(&node));
+	if (error || newp == NULL)
+		return error;
+
+	if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_KERNADDR,
+	    0, NULL, NULL, NULL))
+		return (EPERM);
+
+	*(int *)rnode->sysctl_data = expose_address;
+
+	return 0;
+}
+
+bool
+get_expose_address(struct proc *p)
+{
+	/* allow only if sysctl variable is set or privileged */
+	return kern_expose_address || kauth_authorize_process(kauth_cred_get(),
+	    KAUTH_PROCESS_CANSEE, p,
+	    KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_KPTR), NULL, NULL) == 0;
+}
+
+static int
 sysctl_security_setidcorename(SYSCTLFN_ARGS)
 {
 	int error;
Index: kern/kern_descrip.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_descrip.c,v
retrieving revision 1.237
diff -u -u -r1.237 kern_descrip.c
--- kern/kern_descrip.c	13 Sep 2018 14:44:09 -0000	1.237
+++ kern/kern_descrip.c	5 Oct 2018 21:21:24 -0000
@@ -2283,23 +2283,11 @@
 	return error;
 }
 
-#define SET_KERN_ADDR(dst, src, allow)	\
-	do {				\
-		if (allow)		\
-			dst = src;	\
-	} while (0);
-
 static void
 fill_file(struct kinfo_file *kp, const file_t *fp, const fdfile_t *ff,
 	  int i, pid_t pid)
 {
-	bool allowaddr;
-	int error;
-
-	/* If not privileged, don't expose kernel addresses. */
-	error = kauth_authorize_process(kauth_cred_get(), KAUTH_PROCESS_CANSEE,
-	    curproc, KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_KPTR), NULL, NULL);
-	allowaddr = (error == 0);
+	const bool allowaddr = get_expose_address(curproc);
 
 	memset(kp, 0, sizeof(*kp));
 
Index: kern/kern_proc.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_proc.c,v
retrieving revision 1.217
diff -u -u -r1.217 kern_proc.c
--- kern/kern_proc.c	4 Sep 2018 16:03:56 -0000	1.217
+++ kern/kern_proc.c	5 Oct 2018 21:21:25 -0000
@@ -2160,32 +2160,21 @@
 	return error;
 }
 
-#define SET_KERN_ADDR(dst, src, allow)	\
-	do {				\
-		if (allow)		\
-			dst = src;	\
-	} while (0);
-
 /*
  * Fill in an eproc structure for the specified process.
  */
 void
 fill_eproc(struct proc *p, struct eproc *ep, bool zombie)
 {
-	bool allowaddr;
 	struct tty *tp;
 	struct lwp *l;
-	int error;
 
 	KASSERT(mutex_owned(proc_lock));
 	KASSERT(mutex_owned(p->p_lock));
 
 	memset(ep, 0, sizeof(*ep));
 
-	/* If not privileged, don't expose kernel addresses. */
-	error = kauth_authorize_process(kauth_cred_get(), KAUTH_PROCESS_CANSEE,
-	    curproc, KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_KPTR), NULL, NULL);
-	allowaddr = (error == 0);
+	const bool allowaddr = get_expose_address(curproc);
 
 	SET_KERN_ADDR(ep->e_paddr, p, allowaddr);
 	SET_KERN_ADDR(ep->e_sess, p->p_session, allowaddr);
@@ -2243,16 +2232,11 @@
 	sigset_t ss1, ss2;
 	struct rusage ru;
 	struct vmspace *vm;
-	bool allowaddr;
-	int error;
 
 	KASSERT(mutex_owned(proc_lock));
 	KASSERT(mutex_owned(p->p_lock));
 
-	/* If not privileged, don't expose kernel addresses. */
-	error = kauth_authorize_process(kauth_cred_get(), KAUTH_PROCESS_CANSEE,
-	    curproc, KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_KPTR), NULL, NULL);
-	allowaddr = (error == 0);
+	const bool allowaddr = get_expose_address(curproc);
 
 	sigemptyset(&ss1);
 	sigemptyset(&ss2);
Index: sys/kauth.h
===================================================================
RCS file: /cvsroot/src/sys/sys/kauth.h,v
retrieving revision 1.80
diff -u -u -r1.80 kauth.h
--- sys/kauth.h	4 Sep 2018 14:31:18 -0000	1.80
+++ sys/kauth.h	5 Oct 2018 21:21:25 -0000
@@ -144,6 +144,7 @@
 	KAUTH_SYSTEM_FS_EXTATTR,
 	KAUTH_SYSTEM_FS_SNAPSHOT,
 	KAUTH_SYSTEM_INTR,
+	KAUTH_SYSTEM_KERNADDR,
 };
 
 /*
Index: sys/systm.h
===================================================================
RCS file: /cvsroot/src/sys/sys/systm.h,v
retrieving revision 1.278
diff -u -u -r1.278 systm.h
--- sys/systm.h	18 Sep 2018 01:25:09 -0000	1.278
+++ sys/systm.h	5 Oct 2018 21:21:25 -0000
@@ -184,6 +184,14 @@
 };
 
 #ifdef _KERNEL
+#define SET_KERN_ADDR(dst, src, allow)	\
+	do {				\
+		if (allow)		\
+			dst = src;	\
+	} while (/*CONSTCOND*/0);
+
+
+bool	get_expose_address(struct proc *);
 void	*hashinit(u_int, enum hashtype, bool, u_long *);
 void	hashdone(void *, enum hashtype, u_long);
 int	seltrue(dev_t, int, struct lwp *);
Index: secmodel/suser/secmodel_suser.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/suser/secmodel_suser.c,v
retrieving revision 1.48
diff -u -u -r1.48 secmodel_suser.c
--- secmodel/suser/secmodel_suser.c	4 Sep 2018 14:31:19 -0000	1.48
+++ secmodel/suser/secmodel_suser.c	5 Oct 2018 21:22:16 -0000
@@ -446,6 +446,12 @@
 
 		break;
 
+	case KAUTH_SYSTEM_KERNADDR:
+		if (isroot)
+			result = KAUTH_RESULT_ALLOW;
+
+		break;
+
 	default:
 		break;
 	}