diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 2e69024314..b52ce3ae5e 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -197,6 +197,26 @@ qemuSetupTPMCgroup(virDomainObjPtr vm)
 }
 
 
+static int
+qemuSetupInputCgroup(virDomainObjPtr vm,
+                     virDomainInputDefPtr dev)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret = 0;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
+        VIR_DEBUG("Process path '%s' for input device", dev->source.evdev);
+        ret = virCgroupAllowDevicePath(priv->cgroup, dev->source.evdev,
+                                       VIR_CGROUP_DEVICE_RW);
+        virDomainAuditCgroupPath(vm, priv->cgroup, "allow", dev->source.evdev, "rw", ret == 0);
+        break;
+    }
+
+    return ret;
+}
+
+
 static int
 qemuSetupHostUSBDeviceCgroup(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
                              const char *path,
@@ -591,6 +611,11 @@ qemuSetupDevicesCgroup(virQEMUDriverPtr driver,
             goto cleanup;
     }
 
+    for (i = 0; i < vm->def->ninputs; i++) {
+        if (qemuSetupInputCgroup(vm, vm->def->inputs[i]) < 0)
+            goto cleanup;
+    }
+
     for (i = 0; i < vm->def->nrngs; i++) {
         if (vm->def->rngs[i]->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) {
             VIR_DEBUG("Setting Cgroup ACL for RNG device");