SECURITY: Drop `setgid kmem' bit as early as possible.

sbin/ccdconfig/ccdconfig.c

@@ -511,6 +511,8 @@ dump_ccd(argc, argv)
 		warnx("can't open kvm: %s", errbuf);
 		return (1);
 	}
+	setegid(getgid());
+	setgid(getgid());
 
 	if (kvm_nlist(kd, nl))
 		KVM_ABORT(kd, "ccd-related symbols not available");

usr.bin/fstat/fstat.c

@@ -236,6 +236,7 @@ main(argc, argv)
 
 	if ((kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf)) == NULL)
 		errx(1, "%s", buf);
+	setgid(getgid());
 #ifdef notdef
 	if (kvm_nlist(kd, nl) != 0)
 		errx(1, "no namelist: %s", kvm_geterr(kd));

usr.bin/netstat/main.c

@@ -664,6 +664,7 @@ kread(u_long addr, char *buf, int size)
 		 * XXX.
 		 */
 		kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf);
+		setgid(getgid());
 		if (kvmd != NULL) {
 			if (kvm_nlist(kvmd, nl) < 0) {
 				if(nlistf)

usr.bin/vmstat/vmstat.c

@@ -241,6 +241,7 @@ main(argc, argv)
 	kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, errbuf);
 	if (kd == 0) 
 		errx(1, "kvm_openfiles: %s", errbuf);
+	setgid(getgid());
 
 	if ((c = kvm_nlist(kd, namelist)) != 0) {
 		if (c > 0) {

usr.sbin/pstat/pstat.c

@@ -291,6 +291,7 @@ main(argc, argv)
 
 	if ((kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf)) == 0)
 		errx(1, "kvm_openfiles: %s", buf);
+	(void)setgid(getgid());
 	if ((ret = kvm_nlist(kd, nl)) != 0) {
 		if (ret == -1)
 			errx(1, "kvm_nlist: %s", kvm_geterr(kd));

usr.sbin/trpt/trpt.c

@@ -164,6 +164,7 @@ main(argc, argv)
 		errx(1, "%s: no namelist", system);
 	if ((memf = open(core, O_RDONLY)) < 0)
 		err(2, "%s", core);
+	setgid(getgid());
 	if (kflag)
 		errx(1, "can't do core files yet");
 	(void)klseek(memf, (off_t)nl[N_TCP_DEBX].n_value, L_SET);