[pve-devel] [PATCH container 1/2] add deny read/write options for device passthrough

[Filip Schauer]

Add the deny_read and deny_write options for device passthrough, to
restrict container access to devices.

Signed-off-by: Filip Schauer <f.schauer at proxmox.com>
---
 src/PVE/LXC.pm        | 13 ++++++++++++-
 src/PVE/LXC/Config.pm | 10 ++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 65d0fa8..6e2b048 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -651,7 +651,18 @@ sub update_lxc_config {
 	my $major = PVE::Tools::dev_t_major($rdev);
 	my $minor = PVE::Tools::dev_t_minor($rdev);
 	my $device_type_char = S_ISBLK($mode) ? 'b' : 'c';
-	$raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor rw\n";
+	my $allow_perms = $device->{deny_read} ? "" : "r";
+	my $deny_perms = $device->{deny_read} ? "r" : "";
+	$allow_perms .= $device->{deny_write} ? "" : "w";
+	$deny_perms .= $device->{deny_write} ? "w" : "";
+
+	if ($allow_perms) {
+	    $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor $allow_perms\n";
+	}
+
+	if ($deny_perms) {
+	    $raw .= "lxc.cgroup2.devices.deny = $device_type_char $major:$minor $deny_perms\n";
+	}
     });
 
     # WARNING: DO NOT REMOVE this without making sure that loop device nodes
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 1664a35..5db9181 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -962,6 +962,16 @@ my $dev_desc = {
 	minimum => 0,
 	description => 'Group ID to be assigned to the device node',
     },
+    deny_read => {
+	optional => 1,
+	type => 'boolean',
+	description => 'Deny the container to read from the device',
+    },
+    deny_write => {
+	optional => 1,
+	type => 'boolean',
+	description => 'Deny the container to write to the device',
+    },
 };
 
 for (my $i = 0; $i < $MAX_DEVICES; $i++) {
-- 
2.39.2