netlink(4) fine grained access control

I’ve recently had a user raise an interesting issue (see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289234 )

For background: pf is in the process of converting the userspace<>kernelspace interface to netlink. This is mostly a great improvement, but it does mean that only the root user (or, the user with PRIV_NETINET_PF privilege) can get information out of pf.

That matches the default behaviour of the /dev/pf interface, but users can choose to allow other users or groups to access pf through a simple chmod/chown on /dev/pf. There’s no obvious way to do the same with netlink.
From a brief inspection of the code I don’t think that any such mechanism exists. I don’t particularly want to invent anything specific to pf either.

My initial impulse was to introduce a PRIV_NETINET_PF_RO priv, and to have users grant that to whatever account they’d normally allow access to /dev/pf, but the ability to set individual privileges for accounts seems to be a linux-ism (e.g. https://man7.org/linux/man-pages/man8/setcap.8.html ) and not something we can do.

So, any ideas or suggestions?

Best regards,
Kristof