* [pve-devel] [PATCH container v2 1/2] add deny read/write options for device passthrough
2024-07-24 17:18 [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough Filip Schauer
@ 2024-07-24 17:18 ` Filip Schauer
2024-07-24 17:18 ` [pve-devel] [PATCH manager v2 2/2] ui: lxc: add readonly option " Filip Schauer
2024-09-06 12:14 ` [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options " Fiona Ebner
2 siblings, 0 replies; 6+ messages in thread
From: Filip Schauer @ 2024-07-24 17:18 UTC (permalink / raw)
To: pve-devel
Add the deny_read and deny_write options for device passthrough, to
restrict container access to devices.
Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
src/PVE/LXC.pm | 13 ++++++++++++-
src/PVE/LXC/Config.pm | 12 ++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 65d0fa8..6e2b048 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -651,7 +651,18 @@ sub update_lxc_config {
my $major = PVE::Tools::dev_t_major($rdev);
my $minor = PVE::Tools::dev_t_minor($rdev);
my $device_type_char = S_ISBLK($mode) ? 'b' : 'c';
- $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor rw\n";
+ my $allow_perms = $device->{deny_read} ? "" : "r";
+ my $deny_perms = $device->{deny_read} ? "r" : "";
+ $allow_perms .= $device->{deny_write} ? "" : "w";
+ $deny_perms .= $device->{deny_write} ? "w" : "";
+
+ if ($allow_perms) {
+ $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor $allow_perms\n";
+ }
+
+ if ($deny_perms) {
+ $raw .= "lxc.cgroup2.devices.deny = $device_type_char $major:$minor $deny_perms\n";
+ }
});
# WARNING: DO NOT REMOVE this without making sure that loop device nodes
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 1664a35..b37f84d 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -962,6 +962,18 @@ my $dev_desc = {
minimum => 0,
description => 'Group ID to be assigned to the device node',
},
+ deny_read => {
+ optional => 1,
+ type => 'boolean',
+ description => 'Deny the container to read from the device',
+ default => 0,
+ },
+ deny_write => {
+ optional => 1,
+ type => 'boolean',
+ description => 'Deny the container to write to the device',
+ default => 0,
+ },
};
for (my $i = 0; $i < $MAX_DEVICES; $i++) {
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread* [pve-devel] [PATCH manager v2 2/2] ui: lxc: add readonly option for device passthrough
2024-07-24 17:18 [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough Filip Schauer
2024-07-24 17:18 ` [pve-devel] [PATCH container v2 1/2] " Filip Schauer
@ 2024-07-24 17:18 ` Filip Schauer
2024-09-06 12:14 ` [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options " Fiona Ebner
2 siblings, 0 replies; 6+ messages in thread
From: Filip Schauer @ 2024-07-24 17:18 UTC (permalink / raw)
To: pve-devel
Add a checkbox to the device passthrough dialogue for restricting
container write access to a passed through device.
Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
www/manager6/lxc/DeviceEdit.js | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/www/manager6/lxc/DeviceEdit.js b/www/manager6/lxc/DeviceEdit.js
index cdbd9acc..fffb9624 100644
--- a/www/manager6/lxc/DeviceEdit.js
+++ b/www/manager6/lxc/DeviceEdit.js
@@ -95,6 +95,13 @@ Ext.define('PVE.lxc.DeviceInputPanel', {
return gettext("Access mode has to be an octal number");
},
},
+ {
+ xtype: 'checkbox',
+ name: 'deny_write',
+ fieldLabel: gettext('Read only'),
+ labelWidth: 120,
+ checked: false,
+ },
],
});
@@ -145,6 +152,7 @@ Ext.define('PVE.lxc.DeviceEdit', {
mode: data.mode,
uid: data.uid,
gid: data.gid,
+ deny_write: data.deny_write,
};
ipanel.setValues(values);
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough
2024-07-24 17:18 [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough Filip Schauer
2024-07-24 17:18 ` [pve-devel] [PATCH container v2 1/2] " Filip Schauer
2024-07-24 17:18 ` [pve-devel] [PATCH manager v2 2/2] ui: lxc: add readonly option " Filip Schauer
@ 2024-09-06 12:14 ` Fiona Ebner
2024-09-06 17:01 ` Thomas Lamprecht
2 siblings, 1 reply; 6+ messages in thread
From: Fiona Ebner @ 2024-09-06 12:14 UTC (permalink / raw)
To: Proxmox VE development discussion, Filip Schauer
Am 24.07.24 um 19:18 schrieb Filip Schauer:
> Add the deny_read and deny_write options for device passthrough, to
> restrict container access to devices.
>
> This allows for passing through a device in read-only mode without
> giving the container full access it.
>
> Up until now a container with a device passed through to it was granted
> full access to that device without an option to restrict that access as
> pointed out by @Fiona.
>
> Changes since v1:
> * set default values for deny_read & deny_write
> * remove the deny_read checkbox from the UI, since it is expected to
> only have a very niche use case.
>
We could also use dashes instead of underscores, i.e.
"deny-read"/"deny-write" as we often do for new properties.
Still not fully sure we need deny_read in the backend until somebody
complains with a sensible use case, but I guess it doesn't hurt if it's
already there.
In any case:
Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
Tested-by: Fiona Ebner <f.ebner@proxmox.com>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough
2024-09-06 12:14 ` [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options " Fiona Ebner
@ 2024-09-06 17:01 ` Thomas Lamprecht
2024-09-09 12:52 ` Filip Schauer
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Lamprecht @ 2024-09-06 17:01 UTC (permalink / raw)
To: Proxmox VE development discussion, Fiona Ebner, Filip Schauer
Am 06/09/2024 um 14:14 schrieb Fiona Ebner:
> Am 24.07.24 um 19:18 schrieb Filip Schauer:
>> Add the deny_read and deny_write options for device passthrough, to
>> restrict container access to devices.
>>
>> This allows for passing through a device in read-only mode without
>> giving the container full access it.
>>
>> Up until now a container with a device passed through to it was granted
>> full access to that device without an option to restrict that access as
>> pointed out by @Fiona.
>>
>> Changes since v1:
>> * set default values for deny_read & deny_write
>> * remove the deny_read checkbox from the UI, since it is expected to
>> only have a very niche use case.
>>
>
> We could also use dashes instead of underscores, i.e.
> "deny-read"/"deny-write" as we often do for new properties.
>
> Still not fully sure we need deny_read in the backend until somebody
> complains with a sensible use case, but I guess it doesn't hurt if it's
> already there.
+1 to all above, I think going just with a deny-write option should
be enough for now, let's wait for an actual deny-read use-case before
adding it.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough
2024-09-06 17:01 ` Thomas Lamprecht
@ 2024-09-09 12:52 ` Filip Schauer
0 siblings, 0 replies; 6+ messages in thread
From: Filip Schauer @ 2024-09-09 12:52 UTC (permalink / raw)
To: Thomas Lamprecht, Proxmox VE development discussion, Fiona Ebner
Superseded by:
https://lists.proxmox.com/pipermail/pve-devel/2024-September/065282.html
On 06/09/2024 19:01, Thomas Lamprecht wrote:
> Am 06/09/2024 um 14:14 schrieb Fiona Ebner:
>> Am 24.07.24 um 19:18 schrieb Filip Schauer:
>>> Add the deny_read and deny_write options for device passthrough, to
>>> restrict container access to devices.
>>>
>>> This allows for passing through a device in read-only mode without
>>> giving the container full access it.
>>>
>>> Up until now a container with a device passed through to it was granted
>>> full access to that device without an option to restrict that access as
>>> pointed out by @Fiona.
>>>
>>> Changes since v1:
>>> * set default values for deny_read & deny_write
>>> * remove the deny_read checkbox from the UI, since it is expected to
>>> only have a very niche use case.
>>>
>> We could also use dashes instead of underscores, i.e.
>> "deny-read"/"deny-write" as we often do for new properties.
>>
>> Still not fully sure we need deny_read in the backend until somebody
>> complains with a sensible use case, but I guess it doesn't hurt if it's
>> already there.
> +1 to all above, I think going just with a deny-write option should
> be enough for now, let's wait for an actual deny-read use-case before
> adding it.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread