* [refpolicy] missed patches: VFIO support to libvirt @ 2015-09-05 7:41 Jason Zaman 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] add vfio support for libvirt Jason Zaman 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] adds vfio device support to base policy Jason Zaman 0 siblings, 2 replies; 5+ messages in thread From: Jason Zaman @ 2015-09-05 7:41 UTC (permalink / raw) To: refpolicy Hi Chris, It appears these patches slipped through earlier on so im resending on behalf of Alexander Wetzel. They were originally sent here: http://oss.tresys.com/pipermail/refpolicy/2015-June/007661.html The related Gentoo Bug: https://bugs.gentoo.org/522736 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] add vfio support for libvirt 2015-09-05 7:41 [refpolicy] missed patches: VFIO support to libvirt Jason Zaman @ 2015-09-05 7:41 ` Jason Zaman 2015-09-15 12:56 ` Christopher J. PeBenito 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] adds vfio device support to base policy Jason Zaman 1 sibling, 1 reply; 5+ messages in thread From: Jason Zaman @ 2015-09-05 7:41 UTC (permalink / raw) To: refpolicy From: Alexander Wetzel <alexander.wetzel@web.de> Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de> --- virt.te | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/virt.te b/virt.te index f8a59e4..f512ddc 100644 --- a/virt.te +++ b/virt.te @@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false) ## </desc> gen_tunable(virt_use_xserver, false) +## <desc> +### <p> +### Determine whether confined virtual guests +### can use vfio for pci device pass through (vt-d). +### </p> +### </desc> +gen_tunable(virt_use_vfio, false) + attribute virt_ptynode; attribute virt_domain; attribute virt_image_type; @@ -415,6 +423,10 @@ corenet_tcp_bind_all_ports(svirt_t) corenet_sendrecv_all_client_packets(svirt_t) corenet_tcp_connect_all_ports(svirt_t) +tunable_policy(`virt_use_vfio',` + dev_rw_vfio_dev(svirt_t) +') + ######################################## # # virtd local policy @@ -658,6 +670,13 @@ tunable_policy(`virt_use_samba',` fs_read_cifs_symlinks(virtd_t) ') +tunable_policy(`virt_use_vfio',` + allow virtd_t self:capability sys_resource; + allow virtd_t self:process setrlimit; + allow virtd_t svirt_t:process rlimitinh; + dev_relabelfrom_vfio_dev(virtd_t) +') + optional_policy(` brctl_domtrans(virtd_t) ') -- 2.4.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] add vfio support for libvirt 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] add vfio support for libvirt Jason Zaman @ 2015-09-15 12:56 ` Christopher J. PeBenito 0 siblings, 0 replies; 5+ messages in thread From: Christopher J. PeBenito @ 2015-09-15 12:56 UTC (permalink / raw) To: refpolicy On 9/5/2015 3:41 AM, Jason Zaman wrote: > From: Alexander Wetzel <alexander.wetzel@web.de> Merged. > Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de> > --- > virt.te | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/virt.te b/virt.te > index f8a59e4..f512ddc 100644 > --- a/virt.te > +++ b/virt.te > @@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false) > ## </desc> > gen_tunable(virt_use_xserver, false) > > +## <desc> > +### <p> > +### Determine whether confined virtual guests > +### can use vfio for pci device pass through (vt-d). > +### </p> > +### </desc> > +gen_tunable(virt_use_vfio, false) > + > attribute virt_ptynode; > attribute virt_domain; > attribute virt_image_type; > @@ -415,6 +423,10 @@ corenet_tcp_bind_all_ports(svirt_t) > corenet_sendrecv_all_client_packets(svirt_t) > corenet_tcp_connect_all_ports(svirt_t) > > +tunable_policy(`virt_use_vfio',` > + dev_rw_vfio_dev(svirt_t) > +') > + > ######################################## > # > # virtd local policy > @@ -658,6 +670,13 @@ tunable_policy(`virt_use_samba',` > fs_read_cifs_symlinks(virtd_t) > ') > > +tunable_policy(`virt_use_vfio',` > + allow virtd_t self:capability sys_resource; > + allow virtd_t self:process setrlimit; > + allow virtd_t svirt_t:process rlimitinh; > + dev_relabelfrom_vfio_dev(virtd_t) > +') > + > optional_policy(` > brctl_domtrans(virtd_t) > ') > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] adds vfio device support to base policy 2015-09-05 7:41 [refpolicy] missed patches: VFIO support to libvirt Jason Zaman 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] add vfio support for libvirt Jason Zaman @ 2015-09-05 7:41 ` Jason Zaman 2015-09-15 12:55 ` Christopher J. PeBenito 1 sibling, 1 reply; 5+ messages in thread From: Jason Zaman @ 2015-09-05 7:41 UTC (permalink / raw) To: refpolicy From: Alexander Wetzel <alexander.wetzel@web.de> Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de> --- policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++ policy/modules/kernel/devices.te | 3 +++ 3 files changed, 40 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index d6ebfcd..a33e395 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -118,6 +118,7 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') +/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 9744d63..3b904d7 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',` ######################################## ## <summary> +## Read and write vfio devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_rw_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + rw_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## <summary> +## Relabel vfio devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_relabelfrom_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + relabelfrom_chr_files_pattern($1, device_t, vfio_device_t) +') + +############################ +## <summary> ## Allow read/write the vhost net device ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 166c8f7..eb12597 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -273,6 +273,9 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) +type vfio_device_t; +dev_node(vfio_device_t) + type v4l_device_t; dev_node(v4l_device_t) -- 2.4.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] adds vfio device support to base policy 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] adds vfio device support to base policy Jason Zaman @ 2015-09-15 12:55 ` Christopher J. PeBenito 0 siblings, 0 replies; 5+ messages in thread From: Christopher J. PeBenito @ 2015-09-15 12:55 UTC (permalink / raw) To: refpolicy On 9/5/2015 3:41 AM, Jason Zaman wrote: > From: Alexander Wetzel <alexander.wetzel@web.de> Merged. > Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de> > --- > policy/modules/kernel/devices.fc | 1 + > policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++ > policy/modules/kernel/devices.te | 3 +++ > 3 files changed, 40 insertions(+) > > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > index d6ebfcd..a33e395 100644 > --- a/policy/modules/kernel/devices.fc > +++ b/policy/modules/kernel/devices.fc > @@ -118,6 +118,7 @@ > ifdef(`distro_suse', ` > /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) > ') > +/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0) > /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) > /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) > /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) > diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > index 9744d63..3b904d7 100644 > --- a/policy/modules/kernel/devices.if > +++ b/policy/modules/kernel/devices.if > @@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',` > > ######################################## > ## <summary> > +## Read and write vfio devices. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`dev_rw_vfio_dev',` > + gen_require(` > + type device_t, vfio_device_t; > + ') > + > + rw_chr_files_pattern($1, device_t, vfio_device_t) > +') > + > +######################################## > +## <summary> > +## Relabel vfio devices. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`dev_relabelfrom_vfio_dev',` > + gen_require(` > + type device_t, vfio_device_t; > + ') > + > + relabelfrom_chr_files_pattern($1, device_t, vfio_device_t) > +') > + > +############################ > +## <summary> > ## Allow read/write the vhost net device > ## </summary> > ## <param name="domain"> > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > index 166c8f7..eb12597 100644 > --- a/policy/modules/kernel/devices.te > +++ b/policy/modules/kernel/devices.te > @@ -273,6 +273,9 @@ dev_node(usbmon_device_t) > type userio_device_t; > dev_node(userio_device_t) > > +type vfio_device_t; > +dev_node(vfio_device_t) > + > type v4l_device_t; > dev_node(v4l_device_t) > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-09-15 12:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-09-05 7:41 [refpolicy] missed patches: VFIO support to libvirt Jason Zaman 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] add vfio support for libvirt Jason Zaman 2015-09-15 12:56 ` Christopher J. PeBenito 2015-09-05 7:41 ` [refpolicy] [PATCH 1/1] adds vfio device support to base policy Jason Zaman 2015-09-15 12:55 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.