Merge pull request #333 from 0xC0ncord/feature/virt_evdev_tunable

2021-01-19 10:07:29 -05:00 · 2021-01-19 10:07:29 -05:00 · 6c2432c8bc
parent 0179413fa3 fb377e0953
commit 6c2432c8bc
2 changed files with 32 additions and 0 deletions
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -2187,6 +2187,24 @@ interface(`dev_manage_input_dev',`
 	manage_chr_files_pattern($1, device_t, event_device_t)
 ')

+########################################
+## <summary>
+##	IOCTL the input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_ioctl_input_dev',`
+	gen_require(`
+		type event_device_t;
+	')
+
+	allow $1 event_device_t:chr_file ioctl;
+')
+
 ########################################
 ## <summary>
 ##	Read and write ipmi devices (/dev/ipmi*).
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@ -78,6 +78,14 @@ gen_tunable(virt_use_xserver, false)
 ## </desc>
 gen_tunable(virt_use_vfio, false)

+## <desc>
+##	<p>
+##	Determine whether confined virtual guests
+##	can use input devices via evdev pass through.
+##	</p>
+## </desc>
+gen_tunable(virt_use_evdev, false)
+
 attribute virt_ptynode;
 attribute virt_domain;
 attribute virt_image_type;
@ -448,6 +456,12 @@ tunable_policy(`virt_use_vfio',`
 	dev_rw_vfio_dev(svirt_t)
 ')

+tunable_policy(`virt_use_evdev',`
+	# qemu uses IOCTLs 0x01, 0x06, 0x90, and potentially others
+	# see qemu:include/standard-headers/linux/input.h
+	dev_ioctl_input_dev(svirt_t)
+')
+
 ########################################
 #
 # virtd local policy