From 15daf67bc32e016ba4c13dfbab09160a9c9e37d5 Mon Sep 17 00:00:00 2001 From: Russell Coker Date: Tue, 23 Jun 2026 00:32:13 +1000 Subject: [PATCH] Some small changes for qemu policy for strict configuration Signed-off-by: Russell Coker --- policy/modules/apps/qemu.if | 19 +++++++++++++++++++ policy/modules/apps/qemu.te | 6 ++++++ policy/modules/roles/sysadm.te | 4 ++++ policy/modules/services/virt.te | 13 ++++++++++++- 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index e5ce6d32e4..f291ed721e 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -185,6 +185,25 @@ interface(`qemu_run',` roleattribute $2 qemu_roles; ') +######################################## +## +## Allow a domain to be in the qemu role +## +## +## +## Domain allowed in the role +## +## +## +# +interface(`qemu_domain',` + gen_require(` + attribute_role qemu_roles; + ') + + role qemu_roles types $1; +') + ######################################## ## ## Read qemu process state files. diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te index efc5fc76cc..955db1b33f 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -43,9 +43,15 @@ init_unit_file(qemu_unit_t) dev_read_sysfs(qemu_t) +allow qemu_t self:anon_inode { create map read write }; +allow qemu_t self:io_uring allowed; allow qemu_t qemu_runtime_t:sock_file create_sock_file_perms; files_runtime_filetrans(qemu_t, qemu_runtime_t, sock_file) +kernel_read_vm_sysctls(qemu_t) + +files_mmap_read_boot_files(qemu_t) + tunable_policy(`qemu_full_network',` corenet_udp_sendrecv_generic_if(qemu_t) corenet_udp_sendrecv_generic_node(qemu_t) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3a82425685..9a1f7d670b 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -903,6 +903,10 @@ optional_policy(` pyzor_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') +optional_policy(` + qemu_role(sysadm_r, sysadm_t) +') + optional_policy(` qpidd_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 0f6dc341e2..08ca14ecf4 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -1125,7 +1125,7 @@ optional_policy(` # Bridgehelper local policy # -allow virt_bridgehelper_t self:process { getcap setcap }; +allow virt_bridgehelper_t self:process { getcap setcap getsched }; allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; @@ -1136,13 +1136,24 @@ allow virt_bridgehelper_t virt_etc_t:file read_file_perms; manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) +kernel_getattr_proc(virt_bridgehelper_t) +kernel_read_kernel_sysctls(virt_bridgehelper_t) kernel_read_network_state(virt_bridgehelper_t) +kernel_read_system_state(virt_bridgehelper_t) + +dev_read_sysfs(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) +domain_use_interactive_fds(virt_bridgehelper_t) + userdom_search_user_home_dirs(virt_bridgehelper_t) userdom_use_user_ptys(virt_bridgehelper_t) +optional_policy(` + qemu_domain(virt_bridgehelper_t) +') + ######################################## # # Leaseshelper local policy