1 files changed, 22 insertions, 0 deletions

diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index f24e12e..3d6e0f0 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -48,6 +48,7 @@
 #include <sys/file.h>
 #include <sys/filedesc.h>
 #include <sys/filio.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -706,6 +707,22 @@ devfs_kqfilter_f(struct file *fp, struct knote *kn)
 	return (error);
 }
 
+static inline int
+devfs_prison_check(struct devfs_dirent *de, struct ucred *tcr)
+{
+	struct cdev_priv *cdp;
+	struct ucred *dcr;
+
+	cdp = de->de_cdp;
+	if (cdp == NULL)
+		return (0);
+	dcr = cdp->cdp_c.si_cred;
+	if (dcr == NULL)
+		return (0);
+
+	return (prison_check(tcr, dcr));
+}
+
 static int
 devfs_lookupx(struct vop_lookup_args *ap, int *dm_unlock)
 {
@@ -831,6 +848,9 @@ devfs_lookupx(struct vop_lookup_args *ap, int *dm_unlock)
 		return (ENOENT);
 	}
 
+	if (devfs_prison_check(de, td->td_ucred))
+		return (ENOENT);
+
 	if ((cnp->cn_nameiop == DELETE) && (flags & ISLASTCN)) {
 		error = VOP_ACCESS(dvp, VWRITE, cnp->cn_cred, td);
 		if (error)
@@ -1106,6 +1126,8 @@ devfs_readdir(struct vop_readdir_args *ap)
 		KASSERT(dd->de_cdp != (void *)0xdeadc0de, ("%s %d\n", __func__, __LINE__));
 		if (dd->de_flags & DE_WHITEOUT)
 			continue;
+		if (devfs_prison_check(dd, ap->a_cred))
+			continue;
 		if (dd->de_dirent->d_type == DT_DIR)
 			de = dd->de_dir;
 		else