1 |
commit: 1b899c0409bfc59f0ff4c03259d658578902b9b3 |
2 |
Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de> |
3 |
AuthorDate: Sat Sep 5 07:41:47 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Sep 20 06:52:58 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b899c04 |
7 |
|
8 |
add vfio support for libvirt |
9 |
|
10 |
Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de> |
11 |
|
12 |
policy/modules/contrib/virt.te | 19 +++++++++++++++++++ |
13 |
1 file changed, 19 insertions(+) |
14 |
|
15 |
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te |
16 |
index 2966d29..881560f 100644 |
17 |
--- a/policy/modules/contrib/virt.te |
18 |
+++ b/policy/modules/contrib/virt.te |
19 |
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false) |
20 |
## </desc> |
21 |
gen_tunable(virt_use_xserver, false) |
22 |
|
23 |
+## <desc> |
24 |
+### <p> |
25 |
+### Determine whether confined virtual guests |
26 |
+### can use vfio for pci device pass through (vt-d). |
27 |
+### </p> |
28 |
+### </desc> |
29 |
+gen_tunable(virt_use_vfio, false) |
30 |
+ |
31 |
attribute virt_ptynode; |
32 |
attribute virt_domain; |
33 |
attribute virt_image_type; |
34 |
@@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t) |
35 |
corenet_sendrecv_all_client_packets(svirt_t) |
36 |
corenet_tcp_connect_all_ports(svirt_t) |
37 |
|
38 |
+tunable_policy(`virt_use_vfio',` |
39 |
+ dev_rw_vfio_dev(svirt_t) |
40 |
+') |
41 |
+ |
42 |
######################################## |
43 |
# |
44 |
# virtd local policy |
45 |
@@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',` |
46 |
fs_read_cifs_symlinks(virtd_t) |
47 |
') |
48 |
|
49 |
+tunable_policy(`virt_use_vfio',` |
50 |
+ allow virtd_t self:capability sys_resource; |
51 |
+ allow virtd_t self:process setrlimit; |
52 |
+ allow virtd_t svirt_t:process rlimitinh; |
53 |
+ dev_relabelfrom_vfio_dev(virtd_t) |
54 |
+') |
55 |
+ |
56 |
optional_policy(` |
57 |
brctl_domtrans(virtd_t) |
58 |
') |