[pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough

Filip Schauer f.schauer at proxmox.com
Mon Sep 9 14:52:46 CEST 2024


Superseded by:
https://lists.proxmox.com/pipermail/pve-devel/2024-September/065282.html

On 06/09/2024 19:01, Thomas Lamprecht wrote:
> Am 06/09/2024 um 14:14 schrieb Fiona Ebner:
>> Am 24.07.24 um 19:18 schrieb Filip Schauer:
>>> Add the deny_read and deny_write options for device passthrough, to
>>> restrict container access to devices.
>>>
>>> This allows for passing through a device in read-only mode without
>>> giving the container full access it.
>>>
>>> Up until now a container with a device passed through to it was granted
>>> full access to that device without an option to restrict that access as
>>> pointed out by @Fiona.
>>>
>>> Changes since v1:
>>> * set default values for deny_read & deny_write
>>> * remove the deny_read checkbox from the UI, since it is expected to
>>>    only have a very niche use case.
>>>
>> We could also use dashes instead of underscores, i.e.
>> "deny-read"/"deny-write" as we often do for new properties.
>>
>> Still not fully sure we need deny_read in the backend until somebody
>> complains with a sensible use case, but I guess it doesn't hurt if it's
>> already there.
> +1 to all above, I think going just with a deny-write option should
> be enough for now, let's wait for an actual deny-read use-case before
> adding it.




More information about the pve-devel mailing list