Skip to content

Containers need to use hsa devices for ROCM #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 3, 2025
Merged

Containers need to use hsa devices for ROCM #384

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion container.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.238.0)
policy_module(container, 2.239.0)

gen_require(`
class passwd rootok;
Expand Down Expand Up @@ -707,6 +707,14 @@ optional_policy(`
udev_read_db(container_runtime_domain)
')

optional_policy(`
require {
type hsa_device_t;
}

allow container_domain hsa_device_t:chr_file rw_chr_file_perms;
')
Comment on lines +710 to +716
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

For consistency with other device access rules in this policy and for better security, this new permission should be controlled by a tunable boolean. This allows administrators to explicitly enable HSA device access when needed, instead of granting it by default on systems with ROCm support. Please wrap this policy in a tunable_policy block and add a corresponding gen_tunable definition1.

tunable_policy(`container_use_hsa_devices',`
	optional_policy(`
		require {
			type hsa_device_t;
		}

		allow container_domain hsa_device_t:chr_file rw_chr_file_perms;
	')
`)

Style Guide References

Footnotes

  1. Use tunable policies for device access control to allow administrators to explicitly enable features. (link)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No I don't want to wrap this in a boolean, it is needed in general for ROCM accelerators, so I want it on by default.


optional_policy(`
gen_require(`
role unconfined_r;
Expand Down