Hi Chris,
It appears these patches slipped through earlier on so im
resending on behalf of Alexander Wetzel.
They were originally sent here:
http://oss.tresys.com/pipermail/refpolicy/2015-June/007661.html
The related Gentoo Bug:
https://bugs.gentoo.org/522736
From: Alexander Wetzel <[email protected]>
Signed-off-by: Alexander Wetzel <[email protected]>
---
virt.te | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/virt.te b/virt.te
index f8a59e4..f512ddc 100644
--- a/virt.te
+++ b/virt.te
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
## </desc>
gen_tunable(virt_use_xserver, false)
+## <desc>
+### <p>
+### Determine whether confined virtual guests
+### can use vfio for pci device pass through (vt-d).
+### </p>
+### </desc>
+gen_tunable(virt_use_vfio, false)
+
attribute virt_ptynode;
attribute virt_domain;
attribute virt_image_type;
@@ -415,6 +423,10 @@ corenet_tcp_bind_all_ports(svirt_t)
corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+tunable_policy(`virt_use_vfio',`
+ dev_rw_vfio_dev(svirt_t)
+')
+
########################################
#
# virtd local policy
@@ -658,6 +670,13 @@ tunable_policy(`virt_use_samba',`
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_vfio',`
+ allow virtd_t self:capability sys_resource;
+ allow virtd_t self:process setrlimit;
+ allow virtd_t svirt_t:process rlimitinh;
+ dev_relabelfrom_vfio_dev(virtd_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
--
2.4.0
From: Alexander Wetzel <[email protected]>
Signed-off-by: Alexander Wetzel <[email protected]>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.te | 3 +++
3 files changed, 40 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d6ebfcd..a33e395 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -118,6 +118,7 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
+/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 9744d63..3b904d7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
+## Read and write vfio devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+## Relabel vfio devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabelfrom_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+############################
+## <summary>
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 166c8f7..eb12597 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
+type vfio_device_t;
+dev_node(vfio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
--
2.4.0
On 9/5/2015 3:41 AM, Jason Zaman wrote:
> From: Alexander Wetzel <[email protected]>
Merged.
> Signed-off-by: Alexander Wetzel <[email protected]>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/devices.te | 3 +++
> 3 files changed, 40 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index d6ebfcd..a33e395 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -118,6 +118,7 @@
> ifdef(`distro_suse', `
> /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
> ')
> +/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0)
> /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
> /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 9744d63..3b904d7 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
>
> ########################################
> ## <summary>
> +## Read and write vfio devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_rw_vfio_dev',`
> + gen_require(`
> + type device_t, vfio_device_t;
> + ')
> +
> + rw_chr_files_pattern($1, device_t, vfio_device_t)
> +')
> +
> +########################################
> +## <summary>
> +## Relabel vfio devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_relabelfrom_vfio_dev',`
> + gen_require(`
> + type device_t, vfio_device_t;
> + ')
> +
> + relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
> +')
> +
> +############################
> +## <summary>
> ## Allow read/write the vhost net device
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 166c8f7..eb12597 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
> type userio_device_t;
> dev_node(userio_device_t)
>
> +type vfio_device_t;
> +dev_node(vfio_device_t)
> +
> type v4l_device_t;
> dev_node(v4l_device_t)
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 9/5/2015 3:41 AM, Jason Zaman wrote:
> From: Alexander Wetzel <[email protected]>
Merged.
> Signed-off-by: Alexander Wetzel <[email protected]>
> ---
> virt.te | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/virt.te b/virt.te
> index f8a59e4..f512ddc 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
> ## </desc>
> gen_tunable(virt_use_xserver, false)
>
> +## <desc>
> +### <p>
> +### Determine whether confined virtual guests
> +### can use vfio for pci device pass through (vt-d).
> +### </p>
> +### </desc>
> +gen_tunable(virt_use_vfio, false)
> +
> attribute virt_ptynode;
> attribute virt_domain;
> attribute virt_image_type;
> @@ -415,6 +423,10 @@ corenet_tcp_bind_all_ports(svirt_t)
> corenet_sendrecv_all_client_packets(svirt_t)
> corenet_tcp_connect_all_ports(svirt_t)
>
> +tunable_policy(`virt_use_vfio',`
> + dev_rw_vfio_dev(svirt_t)
> +')
> +
> ########################################
> #
> # virtd local policy
> @@ -658,6 +670,13 @@ tunable_policy(`virt_use_samba',`
> fs_read_cifs_symlinks(virtd_t)
> ')
>
> +tunable_policy(`virt_use_vfio',`
> + allow virtd_t self:capability sys_resource;
> + allow virtd_t self:process setrlimit;
> + allow virtd_t svirt_t:process rlimitinh;
> + dev_relabelfrom_vfio_dev(virtd_t)
> +')
> +
> optional_policy(`
> brctl_domtrans(virtd_t)
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com