diff options
| author |   Kenton Groombridge <me@concord.sh> | 2022-10-02 01:44:03 -0400 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2022-12-13 14:04:13 -0500 |
| commit | a00c5341e6e995bb2b50a89f03d92c096f0cc667 (patch) | |
| tree | 61aaca4e334a8252ce21fad889cb3416128f8873 /policy/modules/services/container.te | |
| parent | container, kubernetes: add private type for generic container devices (diff) | |
| download | hardened-refpolicy-a00c5341e6e995bb2b50a89f03d92c096f0cc667.tar.gz hardened-refpolicy-a00c5341e6e995bb2b50a89f03d92c096f0cc667.tar.bz2 hardened-refpolicy-a00c5341e6e995bb2b50a89f03d92c096f0cc667.zip | |
container: add tunable to use dri devices
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'policy/modules/services/container.te')
| -rw-r--r-- | policy/modules/services/container.te | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index c37b4a21..cd5551e1 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -38,9 +38,16 @@ gen_tunable(container_read_public_content, false) gen_tunable(container_spc_create_nfs_servers, false) ## <desc> -## <p> -## Allow containers to use eCryptfs filesystems. -## </p> +## <p> +## Allow containers to use direct rendering devices. +## </p> +## </desc> +gen_tunable(container_use_dri, false) + +## <desc> +## <p> +## Allow containers to use eCryptfs filesystems. +## </p> ## </desc> gen_tunable(container_use_ecryptfs, false) @@ -311,6 +318,10 @@ tunable_policy(`container_read_public_content',` miscfiles_watch_public_dirs(container_domain) ') +tunable_policy(`container_use_dri',` + dev_rw_dri(container_domain) +') + tunable_policy(`container_use_ecryptfs',` fs_manage_ecryptfs_dirs(container_domain) fs_manage_ecryptfs_files(container_domain) |