Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 384674 Details for
Bug 522736
VFIO (direct device access) with libvirt and selinux has policy gaps, proposed fix
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
selinux-base patch to add vfio
0001-vfio.patch (text/plain), 5.17 KB, created by
Alexander Wetzel
on 2014-09-13 16:01:49 UTC
(
hide
)
Description:
selinux-base patch to add vfio
Filename:
MIME Type:
Creator:
Alexander Wetzel
Created:
2014-09-13 16:01:49 UTC
Size:
5.17 KB
patch
obsolete
>diff -ur refpolicy/policy/modules/kernel/devices.fc refpolicy_new/policy/modules/kernel/devices.fc >--- refpolicy/policy/modules/kernel/devices.fc 2014-09-13 14:37:22.422112944 +0200 >+++ refpolicy_new/policy/modules/kernel/devices.fc 2014-09-13 14:38:52.382278389 +0200 >@@ -118,6 +118,9 @@ > ifdef(`distro_suse', ` > /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) > ') >+/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) >+/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) >+/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) > /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) > /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) > /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) >diff -ur refpolicy/policy/modules/kernel/devices.if refpolicy_new/policy/modules/kernel/devices.if >--- refpolicy/policy/modules/kernel/devices.if 2014-09-13 14:37:22.422112944 +0200 >+++ refpolicy_new/policy/modules/kernel/devices.if 2014-09-13 14:41:25.572464521 +0200 >@@ -4593,6 +4593,170 @@ > > ######################################## > ## <summary> >+## Get the attributes of vfio devices. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`dev_getattr_vfio_dev',` >+ gen_require(` >+ type device_t, vfio_device_t; >+ ') >+ >+ getattr_chr_files_pattern($1, device_t, vfio_device_t) >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to get the attributes >+## of vfio device nodes. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+# >+interface(`dev_dontaudit_getattr_vfio_dev',` >+ gen_require(` >+ type vfio_device_t; >+ ') >+ >+ dontaudit $1 vfio_device_t:chr_file getattr; >+') >+ >+######################################## >+## <summary> >+## Set the attributes of vfio device nodes. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`dev_setattr_vfio_dev',` >+ gen_require(` >+ type device_t, vfio_device_t; >+ ') >+ >+ setattr_chr_files_pattern($1, device_t, vfio_device_t) >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to set the attributes >+## of vfio device nodes. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+# >+interface(`dev_dontaudit_setattr_vfio_dev',` >+ gen_require(` >+ type vfio_device_t; >+ ') >+ >+ dontaudit $1 vfio_device_t:chr_file setattr; >+') >+ >+######################################## >+## <summary> >+## Read the vfio devices. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`dev_read_vfio_dev',` >+ gen_require(` >+ type device_t, vfio_device_t; >+ ') >+ >+ read_chr_files_pattern($1, device_t, vfio_device_t) >+') >+ >+######################################## >+## <summary> >+## Write the vfio devices. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`dev_write_vfio_dev',` >+ gen_require(` >+ type device_t, vfio_device_t; >+ ') >+ >+ write_chr_files_pattern($1, device_t, vfio_device_t) >+') >+ >+######################################## >+## <summary> >+## Read and write the VFIO devices. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`dev_rw_vfio_dev',` >+ gen_require(` >+ type device_t, vfio_device_t; >+ ') >+ >+ rw_chr_files_pattern($1, device_t, vfio_device_t) >+') >+ >+######################################## >+## <summary> >+## Minimal read and write the VFIO devices for devices. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`dev_rw_vfio_dev_min',` >+ gen_require(` >+ type device_t, vfio_device_t; >+ ') >+ >+ allow $1 vfio_device_t:chr_file { read write open ioctl }; >+') >+ >+######################################## >+## <summary> >+## Allow dev file transition to new user and type >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`dev_trans_vfio_dev',` >+ gen_require(` >+ type device_t, vfio_device_t; >+ ') >+ >+ allow $1 vfio_device_t:chr_file { relabelfrom setattr }; >+') >+ >+############################ >+## <summary> > ## Allow read/write the vhost net device > ## </summary> > ## <param name="domain"> >Nur in refpolicy_new/policy/modules/kernel: devices.if.orig. >diff -ur refpolicy/policy/modules/kernel/devices.te refpolicy_new/policy/modules/kernel/devices.te >--- refpolicy/policy/modules/kernel/devices.te 2014-09-13 14:37:22.422112944 +0200 >+++ refpolicy_new/policy/modules/kernel/devices.te 2014-09-13 14:38:52.382278389 +0200 >@@ -273,6 +273,9 @@ > type userio_device_t; > dev_node(userio_device_t) > >+type vfio_device_t; >+dev_node(vfio_device_t) >+ > type v4l_device_t; > dev_node(v4l_device_t) > >Nur in refpolicy_new/policy/modules/kernel: devices.te.orig.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 522736
:
384674
|
384676
|
384678