commit: 1b899c0409bfc59f0ff4c03259d658578902b9b3
Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep 5 07:41:47 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b899c04
add vfio support for libvirt
Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>
policy/modules/contrib/virt.te | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 2966d29..881560f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
## </desc>
gen_tunable(virt_use_xserver, false)
+## <desc>
+### <p>
+### Determine whether confined virtual guests
+### can use vfio for pci device pass through (vt-d).
+### </p>
+### </desc>
+gen_tunable(virt_use_vfio, false)
+
attribute virt_ptynode;
attribute virt_domain;
attribute virt_image_type;
@@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t)
corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+tunable_policy(`virt_use_vfio',`
+ dev_rw_vfio_dev(svirt_t)
+')
+
########################################
#
# virtd local policy
@@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',`
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_vfio',`
+ allow virtd_t self:capability sys_resource;
+ allow virtd_t self:process setrlimit;
+ allow virtd_t svirt_t:process rlimitinh;
+ dev_relabelfrom_vfio_dev(virtd_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
