[refpolicy] [PATCH 1/1] adds vfio device support to base policy

Christopher J. PeBenito cpebenito at tresys.com
Tue Sep 15 12:55:53 UTC 2015


On 9/5/2015 3:41 AM, Jason Zaman wrote:
> From: Alexander Wetzel <alexander.wetzel at web.de>

Merged.



> Signed-off-by: Alexander Wetzel <alexander.wetzel at web.de>
> ---
>  policy/modules/kernel/devices.fc |  1 +
>  policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
>  policy/modules/kernel/devices.te |  3 +++
>  3 files changed, 40 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index d6ebfcd..a33e395 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -118,6 +118,7 @@
>  ifdef(`distro_suse', `
>  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
>  ')
> +/dev/vfio/.+		-c      gen_context(system_u:object_r:vfio_device_t,s0)
>  /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
>  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
>  /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 9744d63..3b904d7 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
>  
>  ########################################
>  ## <summary>
> +##      Read and write vfio devices.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`dev_rw_vfio_dev',`
> +	gen_require(`
> +		type device_t, vfio_device_t;
> +	')
> +
> +	rw_chr_files_pattern($1, device_t, vfio_device_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Relabel vfio devices.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`dev_relabelfrom_vfio_dev',`
> +	gen_require(`
> +		type device_t, vfio_device_t;
> +	')
> +
> +	relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
> +')
> +
> +############################
> +## <summary>
>  ##	Allow read/write the vhost net device
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 166c8f7..eb12597 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
>  type userio_device_t;
>  dev_node(userio_device_t)
>  
> +type vfio_device_t;
> +dev_node(vfio_device_t)
> +
>  type v4l_device_t;
>  dev_node(v4l_device_t)
>  
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list