diff --git a/sys/security/mac_ddb/mac_ddb.c b/sys/security/mac_ddb/mac_ddb.c
--- a/sys/security/mac_ddb/mac_ddb.c
+++ b/sys/security/mac_ddb/mac_ddb.c
@@ -29,11 +29,17 @@
  */
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kdb.h>
 #include <sys/module.h>
+#include <sys/mount.h>
 #include <sys/proc.h>
+#include <sys/queue.h>
+#include <sys/rman.h>
 #include <sys/sysctl.h>
 
+#include <net/vnet.h>
+
 #include <ddb/ddb.h>
 #include <ddb/db_command.h>
 
@@ -67,6 +73,11 @@
     char *modif);
 
 static db_validation_fn_t	db_thread_valid;
+static db_validation_fn_t	db_show_ffs_valid;
+static db_validation_fn_t	db_show_prison_valid;
+static db_validation_fn_t	db_show_proc_valid;
+static db_validation_fn_t	db_show_rman_valid;
+static db_validation_fn_t	db_show_vnet_valid;
 
 struct cmd_list_item {
 	const char *name;
@@ -80,7 +91,12 @@
 
 /* List of ddb(4) 'show' commands which are allowed by this policy. */
 static const struct cmd_list_item show_command_list[] = {
+	{ "ffs",	db_show_ffs_valid },
+	{ "prison",	db_show_prison_valid },
+	{ "proc",	db_show_proc_valid },
+	{ "rman",	db_show_rman_valid },
 	{ "thread",	db_thread_valid },
+	{ "vnet",	db_show_vnet_valid },
 };
 
 static int
@@ -103,6 +119,91 @@
 	return (EACCES);
 }
 
+static int
+db_show_ffs_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
+{
+	struct mount *mp;
+
+	/* No addr will show all mounts. */
+	if (!have_addr)
+		return (0);
+
+	TAILQ_FOREACH(mp, &mountlist, mnt_list)
+		if ((void *)mp == (void *)addr)
+			return (0);
+
+	return (EACCES);
+}
+
+static int
+db_show_prison_valid(db_expr_t addr, bool have_addr, db_expr_t count,
+    char *modif)
+{
+	struct prison *pr;
+	int pr_id;
+
+	if (!have_addr || addr == 0)
+		return (0);
+
+	/* prison can match by pointer address or ID. */
+	pr_id = (int)addr;
+	TAILQ_FOREACH(pr, &allprison, pr_list)
+		if (pr->pr_id == pr_id || (void *)pr == (void *)addr)
+			return (0);
+
+	return (EACCES);
+}
+
+static int
+db_show_proc_valid(db_expr_t addr, bool have_addr, db_expr_t count,
+    char *modif)
+{
+	struct proc *p;
+	int i;
+
+	/* Default will show the current proc. */
+	if (!have_addr)
+		return (0);
+
+	for (i = 0; i <= pidhash; i++) {
+		LIST_FOREACH(p, &pidhashtbl[i], p_hash) {
+			if ((void *)p == (void *)addr)
+				return (0);
+		}
+	}
+
+	return (EACCES);
+}
+
+static int
+db_show_rman_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
+{
+	struct rman *rm;
+
+	TAILQ_FOREACH(rm, &rman_head, rm_link) {
+		if ((void *)rm == (void *)rm)
+			return (0);
+	}
+
+	return (EACCES);
+}
+
+static int
+db_show_vnet_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
+{
+	VNET_ITERATOR_DECL(vnet);
+
+	if (!have_addr)
+		return (0);
+
+	VNET_FOREACH(vnet) {
+		if ((void *)vnet == (void *)addr)
+			return (0);
+	}
+
+	return (EACCES);
+}
+
 static int
 command_match(struct db_command *cmd, struct cmd_list_item item)
 {