Add the deny-write options for device passthrough, to restrict container
access to devices.
Signed-off-by: Filip Schauer <f.scha...@proxmox.com>
---
src/PVE/LXC.pm | 7 ++++++-
src/PVE/LXC/Config.pm | 6 ++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 65d0fa8..cb24f2d 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -651,7 +651,12 @@ sub update_lxc_config {
my $major = PVE::Tools::dev_t_major($rdev);
my $minor = PVE::Tools::dev_t_minor($rdev);
my $device_type_char = S_ISBLK($mode) ? 'b' : 'c';
- $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor
rw\n";
+ my $allow_perms = "r" . $device->{'deny-write'} ? "" : "w";
+ $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor
$allow_perms\n";
+
+ if ($device->{'deny-write'}) {
+ $raw .= "lxc.cgroup2.devices.deny = $device_type_char $major:$minor
w\n";
+ }
});
# WARNING: DO NOT REMOVE this without making sure that loop device nodes
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 1664a35..ce64c4c 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -962,6 +962,12 @@ my $dev_desc = {
minimum => 0,
description => 'Group ID to be assigned to the device node',
},
+ 'deny-write' => {
+ optional => 1,
+ type => 'boolean',
+ description => 'Deny the container to write to the device',
+ default => 0,
+ },
};
for (my $i = 0; $i < $MAX_DEVICES; $i++) {
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
