Hi, kdump(1) only needs access to tracefile which by default is ktrace.out unless argument -f is used. We can just unveil(2) that file with read permissions.
I tried it with all possible arguments just to make sure nothing breaks. Comments? OK? Index: kdump.c =================================================================== RCS file: /cvs/src/usr.bin/kdump/kdump.c,v retrieving revision 1.133 diff -u -p -u -r1.133 kdump.c --- kdump.c 28 Nov 2017 15:35:02 -0000 1.133 +++ kdump.c 10 Aug 2018 13:12:03 -0000 @@ -208,6 +208,8 @@ main(int argc, char *argv[]) if (argc > optind) usage(); + if (unveil(tracefile, "r") == -1) + err(1, "unveil"); if (pledge("stdio rpath getpw", NULL) == -1) err(1, "pledge");