[pve-devel] [PATCH container 1/2] add deny read/write options for device passthrough
Filip Schauer
f.schauer at proxmox.com
Mon Apr 29 15:15:28 CEST 2024
Add the deny_read and deny_write options for device passthrough, to
restrict container access to devices.
Signed-off-by: Filip Schauer <f.schauer at proxmox.com>
---
src/PVE/LXC.pm | 13 ++++++++++++-
src/PVE/LXC/Config.pm | 10 ++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 65d0fa8..6e2b048 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -651,7 +651,18 @@ sub update_lxc_config {
my $major = PVE::Tools::dev_t_major($rdev);
my $minor = PVE::Tools::dev_t_minor($rdev);
my $device_type_char = S_ISBLK($mode) ? 'b' : 'c';
- $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor rw\n";
+ my $allow_perms = $device->{deny_read} ? "" : "r";
+ my $deny_perms = $device->{deny_read} ? "r" : "";
+ $allow_perms .= $device->{deny_write} ? "" : "w";
+ $deny_perms .= $device->{deny_write} ? "w" : "";
+
+ if ($allow_perms) {
+ $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor $allow_perms\n";
+ }
+
+ if ($deny_perms) {
+ $raw .= "lxc.cgroup2.devices.deny = $device_type_char $major:$minor $deny_perms\n";
+ }
});
# WARNING: DO NOT REMOVE this without making sure that loop device nodes
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 1664a35..5db9181 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -962,6 +962,16 @@ my $dev_desc = {
minimum => 0,
description => 'Group ID to be assigned to the device node',
},
+ deny_read => {
+ optional => 1,
+ type => 'boolean',
+ description => 'Deny the container to read from the device',
+ },
+ deny_write => {
+ optional => 1,
+ type => 'boolean',
+ description => 'Deny the container to write to the device',
+ },
};
for (my $i = 0; $i < $MAX_DEVICES; $i++) {
--
2.39.2
More information about the pve-devel
mailing list