diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 0f75e22f98541a98e73cd8aa400a44a17509ff8f..19252ea2396dd44837454152bae06d642a19b7c6 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -246,7 +246,7 @@ qemuSetupTPMCgroup(virDomainObjPtr vm)
 }
 
 
-static int
+int
 qemuSetupInputCgroup(virDomainObjPtr vm,
                      virDomainInputDefPtr dev)
 {
@@ -269,6 +269,29 @@ qemuSetupInputCgroup(virDomainObjPtr vm,
 }
 
 
+int
+qemuTeardownInputCgroup(virDomainObjPtr vm,
+                        virDomainInputDefPtr dev)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret = 0;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
+        VIR_DEBUG("Process path '%s' for input device", dev->source.evdev);
+        ret = virCgroupDenyDevicePath(priv->cgroup, dev->source.evdev,
+                                      VIR_CGROUP_DEVICE_RWM, false);
+        virDomainAuditCgroupPath(vm, priv->cgroup, "deny", dev->source.evdev, "rwm", ret == 0);
+        break;
+    }
+
+    return ret;
+}
+
+
 int
 qemuSetupHostdevCgroup(virDomainObjPtr vm,
                        virDomainHostdevDefPtr dev)
diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h
index 3fc1583612e17ffeef41b4dfe1c5bc27d01cd4a3..3b8ff6055da7b35939d19947c6916510753d5cfd 100644
--- a/src/qemu/qemu_cgroup.h
+++ b/src/qemu/qemu_cgroup.h
@@ -37,6 +37,10 @@ int qemuSetupDiskCgroup(virDomainObjPtr vm,
                         virDomainDiskDefPtr disk);
 int qemuTeardownDiskCgroup(virDomainObjPtr vm,
                            virDomainDiskDefPtr disk);
+int qemuSetupInputCgroup(virDomainObjPtr vm,
+                         virDomainInputDefPtr dev);
+int qemuTeardownInputCgroup(virDomainObjPtr vm,
+                            virDomainInputDefPtr dev);
 int qemuSetupHostdevCgroup(virDomainObjPtr vm,
                            virDomainHostdevDefPtr dev)
    ATTRIBUTE_RETURN_CHECK;