From: dac.override@gmail.com (Dominick Grift) Date: Mon, 8 Jun 2015 23:37:24 +0200 Subject: [refpolicy] [PATCH] proposal for libvirt vfio/vt-d support In-Reply-To: <557604EB.4000404@web.de> References: <55746E03.90502@web.de> <55747110.5030901@web.de> <20150607172613.GB21587@x131e> <557604EB.4000404@web.de> Message-ID: <20150608213723.GB6341@x131e> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Jun 08, 2015 at 11:11:07PM +0200, Alexander Wetzel wrote: > I've changed the patch as outlined, I hope it's correct now... > > Since it's working now without > "allow virtd_t vfio_device_t:chr_file setattr;" > I've also dropped that from the patch. I wonder what that is all about. Back when i was using this functionality this only worked with root UID. I wonder if that is still the case. Maybe it now works with unprivilege UID and it may need to set attributes in that scenario. Nevertheless, since you enclosed the two patches in a single e-mail, and since you did not send the patches in-line, i will leave it up to the refpolicy maintainer to decide if this can be processed as-is. > > Since the virt module is in the contrib submodule I had to split this in > two patches, or at least I see no way to do that in one git patch. > > From 631ba532a733c20965b63fbe1a4e4217c1bb303b Mon Sep 17 00:00:00 2001 > From: Alexander Wetzel > Date: Mon, 8 Jun 2015 21:36:45 +0200 > Subject: [PATCH 1/1] adds vfio device support to base policy > > Signed-off-by: Alexander Wetzel > --- > policy/modules/kernel/devices.fc | 1 + > policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++ > policy/modules/kernel/devices.te | 3 +++ > 3 files changed, 40 insertions(+) > > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > index d6ebfcd..a33e395 100644 > --- a/policy/modules/kernel/devices.fc > +++ b/policy/modules/kernel/devices.fc > @@ -118,6 +118,7 @@ > ifdef(`distro_suse', ` > /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) > ') > +/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0) > /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) > /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) > /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) > diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > index 9744d63..3b904d7 100644 > --- a/policy/modules/kernel/devices.if > +++ b/policy/modules/kernel/devices.if > @@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',` > > ######################################## > ## > +## Read and write vfio devices. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_rw_vfio_dev',` > + gen_require(` > + type device_t, vfio_device_t; > + ') > + > + rw_chr_files_pattern($1, device_t, vfio_device_t) > +') > + > +######################################## > +## > +## Relabel vfio devices. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_relabelfrom_vfio_dev',` > + gen_require(` > + type device_t, vfio_device_t; > + ') > + > + relabelfrom_chr_files_pattern($1, device_t, vfio_device_t) > +') > + > +############################ > +## > ## Allow read/write the vhost net device > ## > ## > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > index 166c8f7..eb12597 100644 > --- a/policy/modules/kernel/devices.te > +++ b/policy/modules/kernel/devices.te > @@ -273,6 +273,9 @@ dev_node(usbmon_device_t) > type userio_device_t; > dev_node(userio_device_t) > > +type vfio_device_t; > +dev_node(vfio_device_t) > + > type v4l_device_t; > dev_node(v4l_device_t) > > -- > 2.4.0 > > From de1c81974a3247d3ceb3b41af869d93948a9fdf1 Mon Sep 17 00:00:00 2001 > From: Alexander Wetzel > Date: Mon, 8 Jun 2015 22:52:31 +0200 > Subject: [PATCH 1/1] add vfio support for libvirt > > Signed-off-by: Alexander Wetzel > --- > virt.te | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/virt.te b/virt.te > index f8a59e4..f512ddc 100644 > --- a/virt.te > +++ b/virt.te > @@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false) > ## > gen_tunable(virt_use_xserver, false) > > +## > +###

> +### Determine whether confined virtual guests > +### can use vfio for pci device pass through (vt-d). > +###

> +### > +gen_tunable(virt_use_vfio, false) > + > attribute virt_ptynode; > attribute virt_domain; > attribute virt_image_type; > @@ -415,6 +423,10 @@ corenet_tcp_bind_all_ports(svirt_t) > corenet_sendrecv_all_client_packets(svirt_t) > corenet_tcp_connect_all_ports(svirt_t) > > +tunable_policy(`virt_use_vfio',` > + dev_rw_vfio_dev(svirt_t) > +') > + > ######################################## > # > # virtd local policy > @@ -658,6 +670,13 @@ tunable_policy(`virt_use_samba',` > fs_read_cifs_symlinks(virtd_t) > ') > > +tunable_policy(`virt_use_vfio',` > + allow virtd_t self:capability sys_resource; > + allow virtd_t self:process setrlimit; > + allow virtd_t svirt_t:process rlimitinh; > + dev_relabelfrom_vfio_dev(virtd_t) > +') > + > optional_policy(` > brctl_domtrans(virtd_t) > ') > -- > 2.4.0 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150608/b8ec5a64/attachment.bin