container: add tunable to use dri devices

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-10-02 01:44:03 -04:00 · 2022-10-02 01:44:03 -04:00 · 6c2124d5ae
commit 6c2124d5ae
parent 3ae0575114
1 changed files with 14 additions and 3 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -38,9 +38,16 @@ gen_tunable(container_read_public_content, false)
 gen_tunable(container_spc_create_nfs_servers, false)

 ## <desc>
-##      <p>
-##      Allow containers to use eCryptfs filesystems.
-##      </p>
+##	<p>
+##	Allow containers to use direct rendering devices.
+##	</p>
+## </desc>
+gen_tunable(container_use_dri, false)
+
+## <desc>
+##	<p>
+##	Allow containers to use eCryptfs filesystems.
+##	</p>
 ## </desc>
 gen_tunable(container_use_ecryptfs, false)

@ -311,6 +318,10 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_watch_public_dirs(container_domain)
 ')

+tunable_policy(`container_use_dri',`
+	dev_rw_dri(container_domain)
+')
+
 tunable_policy(`container_use_ecryptfs',`
 	fs_manage_ecryptfs_dirs(container_domain)
 	fs_manage_ecryptfs_files(container_domain)