208a859459
We restrict the (optional) input file and output files. It would be nice to restrict the KVM files, but that's up to libkvm. We wait until after kvm_nlist() is invoked to cap_enter() because kldsym() isn't supported in the Capsicum sandbox. Feedback from: emaste@ (earlier versions) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D7921