Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
Date: Sat, 10 Oct 2015 12:11:29
Message-Id: 1442731978.1b899c0409bfc59f0ff4c03259d658578902b9b3.swift@gentoo
1 commit: 1b899c0409bfc59f0ff4c03259d658578902b9b3
2 Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
3 AuthorDate: Sat Sep 5 07:41:47 2015 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Sun Sep 20 06:52:58 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b899c04
7
8 add vfio support for libvirt
9
10 Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>
11
12 policy/modules/contrib/virt.te | 19 +++++++++++++++++++
13 1 file changed, 19 insertions(+)
14
15 diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
16 index 2966d29..881560f 100644
17 --- a/policy/modules/contrib/virt.te
18 +++ b/policy/modules/contrib/virt.te
19 @@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
20 ## </desc>
21 gen_tunable(virt_use_xserver, false)
22
23 +## <desc>
24 +### <p>
25 +### Determine whether confined virtual guests
26 +### can use vfio for pci device pass through (vt-d).
27 +### </p>
28 +### </desc>
29 +gen_tunable(virt_use_vfio, false)
30 +
31 attribute virt_ptynode;
32 attribute virt_domain;
33 attribute virt_image_type;
34 @@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t)
35 corenet_sendrecv_all_client_packets(svirt_t)
36 corenet_tcp_connect_all_ports(svirt_t)
37
38 +tunable_policy(`virt_use_vfio',`
39 + dev_rw_vfio_dev(svirt_t)
40 +')
41 +
42 ########################################
43 #
44 # virtd local policy
45 @@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',`
46 fs_read_cifs_symlinks(virtd_t)
47 ')
48
49 +tunable_policy(`virt_use_vfio',`
50 + allow virtd_t self:capability sys_resource;
51 + allow virtd_t self:process setrlimit;
52 + allow virtd_t svirt_t:process rlimitinh;
53 + dev_relabelfrom_vfio_dev(virtd_t)
54 +')
55 +
56 optional_policy(`
57 brctl_domtrans(virtd_t)
58 ')
Report Message
Find on MARC Find on Google Groups