From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-839337-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 682CA13888F
	for <garchives@archives.gentoo.org>; Sat, 10 Oct 2015 12:11:31 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D6DEB21C01F;
	Sat, 10 Oct 2015 12:11:15 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 0FB1B21C017
	for <gentoo-commits@lists.gentoo.org>; Sat, 10 Oct 2015 12:11:14 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4589F34087E
	for <gentoo-commits@lists.gentoo.org>; Sat, 10 Oct 2015 12:11:13 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 02BAFE22
	for <gentoo-commits@lists.gentoo.org>; Sat, 10 Oct 2015 12:11:09 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1442731973.50f8ca591816aac7bf881211f9b722955d59fc29.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/devices.fc policy/modules/kernel/devices.if policy/modules/kernel/devices.te
X-VCS-Directories: policy/modules/kernel/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 50f8ca591816aac7bf881211f9b722955d59fc29
X-VCS-Branch: swift
Date: Sat, 10 Oct 2015 12:11:09 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b9a93f96-20d8-45e7-a31c-1d0871ce15a9
X-Archives-Hash: ac1112974b364235c0f81e37a6e98749

commit:     50f8ca591816aac7bf881211f9b722955d59fc29
Author:     Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep  5 07:41:48 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:53 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50f8ca59

adds vfio device support to base policy

Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>

 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te |  3 +++
 3 files changed, 40 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d6ebfcd..a33e395 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -118,6 +118,7 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
+/dev/vfio/.+		-c      gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index ed25979..835ec14 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
 
 ########################################
 ## <summary>
+##      Read and write vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Relabel vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_relabelfrom_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+############################
+## <summary>
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 166c8f7..eb12597 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
 
+type vfio_device_t;
+dev_node(vfio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)