Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKenton Groombridge <me@concord.sh>2020-12-27 20:09:09 -0500
committerJason Zaman <perfinion@gentoo.org>2021-01-31 17:21:41 -0800
commitac5bc1141d2eb0086bd0d2557073ed1b4d97a530 (patch)
tree8abae965eccdb114cbbc8de12a0b6da40bd09bc6
parentRemove modules for programs that are deprecated or no longer supported. (diff)
downloadhardened-refpolicy-ac5bc1141d2eb0086bd0d2557073ed1b4d97a530.tar.gz
hardened-refpolicy-ac5bc1141d2eb0086bd0d2557073ed1b4d97a530.tar.bz2
hardened-refpolicy-ac5bc1141d2eb0086bd0d2557073ed1b4d97a530.zip
virt: add boolean to allow evdev passthrough
Signed-off-by: Kenton Groombridge <me@concord.sh> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat
-rw-r--r--policy/modules/services/virt.te14
1 files changed, 14 insertions, 0 deletions
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 1e7923ed7..be91303c1 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -78,6 +78,14 @@ gen_tunable(virt_use_xserver, false)
## </desc>
gen_tunable(virt_use_vfio, false)
+## <desc>
+## <p>
+## Determine whether confined virtual guests
+## can use input devices via evdev pass through.
+## </p>
+## </desc>
+gen_tunable(virt_use_evdev, false)
+
attribute virt_ptynode;
attribute virt_domain;
attribute virt_image_type;
@@ -452,6 +460,12 @@ tunable_policy(`virt_use_vfio',`
dev_rw_vfio_dev(svirt_t)
')
+tunable_policy(`virt_use_evdev',`
+ # qemu uses IOCTLs 0x01, 0x06, 0x90, and potentially others
+ # see qemu:include/standard-headers/linux/input.h
+ dev_ioctl_input_dev(svirt_t)
+')
+
########################################
#
# virtd local policy