Index: fido.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/fido.c,v
retrieving revision 1.5
diff -u -p -r1.5 fido.c
--- fido.c	2 Jul 2022 08:50:42 -0000	1.5
+++ fido.c	8 Nov 2022 11:03:28 -0000
@@ -76,6 +76,9 @@ fido_match(struct device *parent, void *
 int
 fidoopen(dev_t dev, int flag, int mode, struct proc *p)
 {
+	if (!ISSET(flag, FWRITE))
+		return (0);
+
 	return (uhid_do_open(dev, flag, mode, p));
 }
 
@@ -85,17 +88,28 @@ fidoioctl(dev_t dev, u_long cmd, caddr_t
 	int	 error;
 
 	switch (cmd) {
-	case FIONBIO:
-	case FIOASYNC:
 	case USB_GET_DEVICEINFO:
+		/* these ioctls are fine for read access */
 		break;
 	default:
-		/*
-		 * Users don't need USB/HID ioctl access to fido(4) devices
-		 * but it can still be useful for debugging by root.
-		 */
-		if ((error = suser(p)) != 0)
-			return (error);
+		/* everything else needs write access */
+		if (!ISSET(flag, FWRITE))
+			return (EPERM);
+
+		switch (cmd) {
+		case FIONBIO:
+		case FIOASYNC:
+			break;
+		default:
+			/*
+                         * Users don't need USB/HID ioctl access
+                         * to fido(4) devices but it can still be
+                         * useful for debugging by root.
+			 */
+			if ((error = suser(p)) != 0)
+				return (error);
+			break;
+		}
 		break;
 	}