From: jason@perfinion.com (Jason Zaman)
Date: Sat,  5 Sep 2015 15:41:47 +0800
Subject: [refpolicy] [PATCH 1/1] add vfio support for libvirt
In-Reply-To: <1441438908-1443-1-git-send-email-jason@perfinion.com>
References: <1441438908-1443-1-git-send-email-jason@perfinion.com>
Message-ID: <1441438908-1443-2-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Alexander Wetzel <alexander.wetzel@web.de>

Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
---
 virt.te | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/virt.te b/virt.te
index f8a59e4..f512ddc 100644
--- a/virt.te
+++ b/virt.te
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
 ## </desc>
 gen_tunable(virt_use_xserver, false)
 
+## <desc>
+###      <p>
+###      Determine whether confined virtual guests
+###      can use vfio for pci device pass through (vt-d).
+###      </p>
+### </desc>
+gen_tunable(virt_use_vfio, false)
+
 attribute virt_ptynode;
 attribute virt_domain;
 attribute virt_image_type;
@@ -415,6 +423,10 @@ corenet_tcp_bind_all_ports(svirt_t)
 corenet_sendrecv_all_client_packets(svirt_t)
 corenet_tcp_connect_all_ports(svirt_t)
 
+tunable_policy(`virt_use_vfio',`
+	dev_rw_vfio_dev(svirt_t)
+')
+
 ########################################
 #
 # virtd local policy
@@ -658,6 +670,13 @@ tunable_policy(`virt_use_samba',`
 	fs_read_cifs_symlinks(virtd_t)
 ')
 
+tunable_policy(`virt_use_vfio',`
+	allow virtd_t self:capability sys_resource;
+	allow virtd_t self:process setrlimit;
+	allow virtd_t svirt_t:process rlimitinh;
+	dev_relabelfrom_vfio_dev(virtd_t)
+')
+
 optional_policy(`
 	brctl_domtrans(virtd_t)
 ')
-- 
2.4.0