Attachment 384674 Details for Bug 522736 – selinux-base patch to add vfio

[patch] selinux-base patch to add vfio

0001-vfio.patch (text/plain), 5.17 KB, created by Alexander Wetzel on 2014-09-13 16:01:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alexander Wetzel

Created: 2014-09-13 16:01:49 UTC

Size: 5.17 KB

patch

obsolete

>diff -ur refpolicy/policy/modules/kernel/devices.fc refpolicy_new/policy/modules/kernel/devices.fc
>--- refpolicy/policy/modules/kernel/devices.fc	2014-09-13 14:37:22.422112944 +0200
>+++ refpolicy_new/policy/modules/kernel/devices.fc	2014-09-13 14:38:52.382278389 +0200
>@@ -118,6 +118,9 @@
> ifdef(`distro_suse', `
> /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
> ')
>+/dev/vfio/(vfio)?[0-9]* -c      gen_context(system_u:object_r:vfio_device_t,s0)
>+/dev/sclp[0-9]*     -c  gen_context(system_u:object_r:vfio_device_t,s0)
>+/dev/vmcp[0-9]*     -c  gen_context(system_u:object_r:vfio_device_t,s0)
> /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
> /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
> /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
>diff -ur refpolicy/policy/modules/kernel/devices.if refpolicy_new/policy/modules/kernel/devices.if
>--- refpolicy/policy/modules/kernel/devices.if	2014-09-13 14:37:22.422112944 +0200
>+++ refpolicy_new/policy/modules/kernel/devices.if	2014-09-13 14:41:25.572464521 +0200
>@@ -4593,6 +4593,170 @@
> 
> ########################################
> ## <summary>
>+##      Get the attributes of vfio devices.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_getattr_vfio_dev',`
>+	gen_require(`
>+		type device_t, vfio_device_t;
>+	')
>+
>+	getattr_chr_files_pattern($1, device_t, vfio_device_t)
>+')
>+
>+########################################
>+## <summary>
>+##      Do not audit attempts to get the attributes
>+##      of vfio device nodes.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain to not audit.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_dontaudit_getattr_vfio_dev',`
>+	gen_require(`
>+		type vfio_device_t;
>+	')
>+
>+	dontaudit $1 vfio_device_t:chr_file getattr;
>+')
>+
>+########################################
>+## <summary>
>+##      Set the attributes of vfio device nodes.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_setattr_vfio_dev',`
>+	gen_require(`
>+		type device_t, vfio_device_t;
>+	')
>+
>+	setattr_chr_files_pattern($1, device_t, vfio_device_t)
>+')
>+
>+########################################
>+## <summary>
>+##      Do not audit attempts to set the attributes
>+##      of vfio device nodes.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain to not audit.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_dontaudit_setattr_vfio_dev',`
>+	gen_require(`
>+		type vfio_device_t;
>+	')
>+
>+	dontaudit $1 vfio_device_t:chr_file setattr;
>+')
>+
>+########################################
>+## <summary>
>+##      Read the vfio devices.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_read_vfio_dev',`
>+	gen_require(`
>+		type device_t, vfio_device_t;
>+	')
>+
>+	read_chr_files_pattern($1, device_t, vfio_device_t)
>+')
>+
>+########################################
>+## <summary>
>+##      Write the vfio devices.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_write_vfio_dev',`
>+	gen_require(`
>+		type device_t, vfio_device_t;
>+	')
>+
>+	write_chr_files_pattern($1, device_t, vfio_device_t)
>+')
>+
>+########################################
>+## <summary>
>+##      Read and write the VFIO devices.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_rw_vfio_dev',`
>+	gen_require(`
>+		type device_t, vfio_device_t;
>+	')
>+
>+	rw_chr_files_pattern($1, device_t, vfio_device_t)
>+')
>+
>+########################################
>+## <summary>
>+##      Minimal read and write the VFIO devices for devices.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_rw_vfio_dev_min',`
>+	gen_require(`
>+		type device_t, vfio_device_t;
>+	')
>+
>+	allow $1 vfio_device_t:chr_file { read write open ioctl };
>+')
>+
>+########################################
>+## <summary>
>+##      Allow dev file transition to new user and type
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_trans_vfio_dev',`
>+	gen_require(`
>+		type device_t, vfio_device_t;
>+	')
>+
>+	allow $1 vfio_device_t:chr_file { relabelfrom setattr };
>+')
>+
>+############################
>+## <summary>
> ##	Allow read/write the vhost net device
> ## </summary>
> ## <param name="domain">
>Nur in refpolicy_new/policy/modules/kernel: devices.if.orig.
>diff -ur refpolicy/policy/modules/kernel/devices.te refpolicy_new/policy/modules/kernel/devices.te
>--- refpolicy/policy/modules/kernel/devices.te	2014-09-13 14:37:22.422112944 +0200
>+++ refpolicy_new/policy/modules/kernel/devices.te	2014-09-13 14:38:52.382278389 +0200
>@@ -273,6 +273,9 @@
> type userio_device_t;
> dev_node(userio_device_t)
> 
>+type vfio_device_t;
>+dev_node(vfio_device_t)
>+
> type v4l_device_t;
> dev_node(v4l_device_t)
> 
>Nur in refpolicy_new/policy/modules/kernel: devices.te.orig.

Actions: View | Diff

Attachments on bug 522736: 384674 | 384676 | 384678