--- sys/dev/drm/drmP.h.org	2015-01-05 11:51:06.000000000 +0900
+++ sys/dev/drm/drmP.h	2015-01-05 10:59:14.000000000 +0900
@@ -222,7 +222,7 @@
 #define PAGE_ALIGN(addr) round_page(addr)
 /* DRM_SUSER returns true if the user is superuser */
 #if __FreeBSD_version >= 700000
-#define DRM_SUSER(p)		(priv_check(p, PRIV_DRIVER) == 0)
+#define DRM_SUSER(p)		(priv_check(p, PRIV_KMEM_WRITE) == 0)
 #else
 #define DRM_SUSER(p)		(suser(p) == 0)
 #endif
--- sys/kern/kern_jail.c.org	2015-01-05 11:00:57.000000000 +0900
+++ sys/kern/kern_jail.c	2015-01-05 11:12:38.000000000 +0900
@@ -206,6 +206,7 @@
 	"allow.mount.nullfs",
 	"allow.mount.zfs",
 	"allow.mount.procfs",
+	"allow.kmem_access",
 };
 const size_t pr_allow_names_size = sizeof(pr_allow_names);
 
@@ -221,6 +222,7 @@
 	"allow.mount.nonullfs",
 	"allow.mount.nozfs",
 	"allow.mount.noprocfs",
+	"allow.nokmem_access",
 };
 const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
 
@@ -3956,6 +3958,27 @@
 		return (0);
 
 		/*
+		 * Allow access to /dev/io in a jail if the non-jailed admin
+		 * requests this and if /dev/io exists in the jail. This
+		 * allows Xorg to probe a card.
+		 */
+	case PRIV_IO:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM_ACCESS)
+			return (0);
+		else
+			return (EPERM);
+
+		/*
+		 * Allow low level access to KMEM-like devices (e.g. to
+		 * allow Xorg to use DRI).
+		 */
+	case PRIV_KMEM_WRITE:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM_ACCESS)
+			return (0);
+		else
+			return (EPERM);
+
+		/*
 		 * Allow jailed root to set loginclass.
 		 */
 	case PRIV_PROC_SETLOGINCLASS:
@@ -4365,6 +4388,8 @@
     "B", "Jail may set file quotas");
 SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, kmem_access, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may access kmem-like devices (io, dri) if they exist");
 
 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
--- sys/sys/jail.h.org	2015-01-05 11:02:02.000000000 +0900
+++ sys/sys/jail.h	2015-01-05 11:16:32.000000000 +0900
@@ -227,7 +227,8 @@
 #define	PR_ALLOW_MOUNT_NULLFS		0x0100
 #define	PR_ALLOW_MOUNT_ZFS		0x0200
 #define	PR_ALLOW_MOUNT_PROCFS		0x0400
-#define	PR_ALLOW_ALL			0x07ff
+#define	PR_ALLOW_KMEM_ACCESS		0x1000
+#define	PR_ALLOW_ALL			0x17ff
 
 /*
  * OSD methods