net-mgmt/net-snmp: Let snmpd run as a non-root user

- Compile without /dev/kmem access.  This requires a small patch which
  opens libkvm in a dummy mode which uses sysctls to implement most of
  its interfaces rather than /dev/kmem access.  This way we can drop the
  dependency on /dev/kmem without rewriting existing code.
- Add a new snmpd user.  Configure snmpd to drop privileges once it's
  finished initialization.
- Remove the JAIL option.  Now that snmpd avoids using /dev/kmem,
  there's no need to have a special mode for running snmpd in jails.

The patch has been proposed upstream here:
https://sourceforge.net/p/net-snmp/mailman/net-snmp-coders/thread/ZjEwNV5BiTOQ-Adi%40nuc/#msg58766857

Approved by:	zi
Sponsored by:	Klara, Inc.
Sponsored by:	Stormshield
Differential Revision:	https://reviews.freebsd.org/D45031

1 files changed, 40 insertions, 0 deletions

diff --git a/net-mgmt/net-snmp/files/patch-agent_kernel.c b/net-mgmt/net-snmp/files/patch-agent_kernel.c
new file mode 100644
index 000000000000..133b04bd1824
--- /dev/null
+++ b/net-mgmt/net-snmp/files/patch-agent_kernel.c
@@ -0,0 +1,40 @@
+--- agent/kernel.c.orig	2023-08-15 20:32:01 UTC
++++ agent/kernel.c
+@@ -252,7 +252,37 @@ free_kmem(void)
+         kmem = -1;
+     }
+ }
++#elif defined(__FreeBSD__)
++kvm_t *kd;
+ 
++/**
++ * Initialize the libkvm descriptor. On FreeBSD we can use most of libkvm
++ * without requiring /dev/kmem access.  Only kvm_nlist() and kvm_read() need
++ * that, and we don't use them.
++ *
++ * @return TRUE upon success; FALSE upon failure.
++ */
++int
++init_kmem(const char *file)
++{
++    char err[4096];
++
++    kd = kvm_openfiles(NULL, "/dev/null", NULL, O_RDONLY, err);
++    if (!kd) {
++        snmp_log(LOG_CRIT, "init_kmem: kvm_openfiles failed: %s\n", err);
++        return FALSE;
++    }
++    return TRUE;
++}
++
++void
++free_kmem(void)
++{
++    if (kd != NULL) {
++        (void)kvm_close(kd);
++        kd = NULL;
++    }
++}
+ #else
+ int
+ init_kmem(const char *file)