From c982d029137edbe597a62a203c85dbd2b161563e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Tue, 19 Dec 2023 00:07:35 -0500
Subject: kubernetes: allow container engines to mount on DRI devices if
 enabled

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/kernel/devices.if      | 18 ++++++++++++++++++
 policy/modules/services/kubernetes.te |  4 ++++
 2 files changed, 22 insertions(+)

(limited to 'policy')

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a2d55ded..d1536573 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2065,6 +2065,24 @@ interface(`dev_manage_dri_dev',`
 	allow $1 dri_device_t:chr_file map;
 ')
 
+########################################
+## <summary>
+##	Mount on the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton_dri_dev',`
+	gen_require(`
+		type dri_device_t;
+	')
+
+	allow $1 dri_device_t:chr_file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Automatic type transition to the type
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 8a13be60..a10ec550 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -147,6 +147,10 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
 ')
 
+tunable_policy(`container_use_dri',`
+	dev_mounton_dri_dev(kubernetes_container_engine_domain)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_getattr_nfs(kubernetes_container_engine_domain)
 	fs_remount_nfs(kubernetes_container_engine_domain)
-- 
cgit v1.2.3-65-gdbad