diff options
author | Alexander Wetzel <alexander.wetzel@web.de> | 2015-09-05 15:41:47 +0800 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2015-09-20 14:52:58 +0800 |
commit | 1b899c0409bfc59f0ff4c03259d658578902b9b3 (patch) | |
tree | 867c11dd20b45adcd7309b16c1944b396628ccf9 | |
parent | Module version bump for vfio device from Alexander Wetzel. (diff) | |
download | hardened-refpolicy-1b899c04.tar.gz hardened-refpolicy-1b899c04.tar.bz2 hardened-refpolicy-1b899c04.zip |
add vfio support for libvirt
Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
-rw-r--r-- | policy/modules/contrib/virt.te | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 2966d293..881560fd 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false) ## </desc> gen_tunable(virt_use_xserver, false) +## <desc> +### <p> +### Determine whether confined virtual guests +### can use vfio for pci device pass through (vt-d). +### </p> +### </desc> +gen_tunable(virt_use_vfio, false) + attribute virt_ptynode; attribute virt_domain; attribute virt_image_type; @@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t) corenet_sendrecv_all_client_packets(svirt_t) corenet_tcp_connect_all_ports(svirt_t) +tunable_policy(`virt_use_vfio',` + dev_rw_vfio_dev(svirt_t) +') + ######################################## # # virtd local policy @@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',` fs_read_cifs_symlinks(virtd_t) ') +tunable_policy(`virt_use_vfio',` + allow virtd_t self:capability sys_resource; + allow virtd_t self:process setrlimit; + allow virtd_t svirt_t:process rlimitinh; + dev_relabelfrom_vfio_dev(virtd_t) +') + optional_policy(` brctl_domtrans(virtd_t) ') |