From c7a0cc0cd2854685c2e840da4b827cf4b2b7c4c5 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 10 Oct 2022 12:13:17 -0400
Subject: [PATCH] container: add tunable to allow spc to use tun-tap devices

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index bc9879ca2..458e392d9 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -37,6 +37,13 @@ gen_tunable(container_read_public_content, false)
 ## </desc>
 gen_tunable(container_spc_create_nfs_servers, false)
 
+## <desc>
+##	<p>
+##	Allow super privileged containers to use tun-tap devices.
+##	</p>
+## </desc>
+gen_tunable(container_spc_use_tun_tap_dev, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use direct rendering devices.
@@ -918,6 +925,10 @@ ifdef(`init_systemd',`
 	init_run_bpf(spc_t)
 ')
 
+tunable_policy(`container_spc_use_tun_tap_dev',`
+	corenet_rw_tun_tap_dev(spc_t)
+')
+
 optional_policy(`
 	tunable_policy(`container_spc_create_nfs_servers',`
 		fs_mount_nfsd_fs(spc_t)