From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 26 Sep 2013 10:29:21 -0400 Subject: [refpolicy] [PATCH 12/20] Initial virtio console device In-Reply-To: <1380029996-25331-1-git-send-email-dominick.grift@gmail.com> References: <1380029996-25331-1-git-send-email-dominick.grift@gmail.com> Message-ID: <524444C1.7070309@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue 24 Sep 2013 09:39:56 AM EDT, Dominick Grift wrote: > Also known as 'vmchannel', a transport mechanism is needed for > communication between the host userspace and guest userspace for > achieving things like making clipboard copy/paste work seamlessly across > the host and guest, locking the guest screen in case the vnc session to > the guest is closed and so on. This can be used in offline cases as > well, for example with libguestfs to probe which file systems the guest > uses, the apps installed, etc. > > Virtio-serial is just the transport protocol that will enable such > applications to be written. It has two parts: (a) device emulation in > qemu that presents a virtio-pci device to the guest and (b) a guest > driver that presents a char device interface to userspace applications. Merged. > Signed-off-by: Dominick Grift > --- > policy/modules/kernel/terminal.fc | 1 + > policy/modules/kernel/terminal.if | 19 +++++++++++++++++++ > policy/modules/kernel/terminal.te | 4 ++++ > 3 files changed, 24 insertions(+) > > diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc > index 7d45d15..0ea25b6 100644 > --- a/policy/modules/kernel/terminal.fc > +++ b/policy/modules/kernel/terminal.fc > @@ -19,6 +19,7 @@ > /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) > /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) > /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) > +/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) > /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) > > /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) > diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if > index 771bce1..cbb729b 100644 > --- a/policy/modules/kernel/terminal.if > +++ b/policy/modules/kernel/terminal.if > @@ -1512,3 +1512,22 @@ interface(`term_dontaudit_use_all_user_ttys',` > refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') > term_dontaudit_use_all_ttys($1) > ') > + > +##################################### > +## > +## Read from and write virtio console. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`term_use_virtio_console',` > + gen_require(` > + type virtio_device_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 virtio_device_t:chr_file rw_term_perms; > +') > diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te > index 224e500..a4c9998 100644 > --- a/policy/modules/kernel/terminal.te > +++ b/policy/modules/kernel/terminal.te > @@ -56,3 +56,7 @@ dev_node(tty_device_t) > # > type usbtty_device_t, serial_device; > dev_node(usbtty_device_t) > + > +type virtio_device_t, serial_device; > +dev_node(virtio_device_t) > + -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com