[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

Jason Zaman Sun, 11 Oct 2015 03:49:21 -0700

commit:     50f8ca591816aac7bf881211f9b722955d59fc29
Author:     Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep  5 07:41:48 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:53 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50f8ca59


adds vfio device support to base policy

Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>

 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te |  3 +++
 3 files changed, 40 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d6ebfcd..a33e395 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -118,6 +118,7 @@
 ifdef(`distro_suse', `
 /dev/usbscanner                -c      
gen_context(system_u:object_r:scanner_device_t,s0)
 ')
+/dev/vfio/.+           -c      gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net         -c      gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*             -c      gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*            -c      
gen_context(system_u:object_r:xserver_misc_device_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index ed25979..835ec14 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
 
 ########################################
 ## <summary>
+##      Read and write vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
+       gen_require(`
+               type device_t, vfio_device_t;
+       ')
+
+       rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Relabel vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_relabelfrom_vfio_dev',`
+       gen_require(`
+               type device_t, vfio_device_t;
+       ')
+
+       relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+############################
+## <summary>
 ##     Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 166c8f7..eb12597 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
 
+type vfio_device_t;
+dev_node(vfio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

Reply via email to