From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 4C3B21FF15F for ; Mon, 9 Sep 2024 14:52:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E72431334F; Mon, 9 Sep 2024 14:52:49 +0200 (CEST) Message-ID: <6ec4b350-f4c2-47b2-8b81-708854a84e82@proxmox.com> Date: Mon, 9 Sep 2024 14:52:46 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Thomas Lamprecht , Proxmox VE development discussion , Fiona Ebner References: <20240724171857.432913-1-f.schauer@proxmox.com> <2568be20-ad08-4539-b98f-9b9d454634ab@proxmox.com> <1c63acb3-499e-40f3-8dab-a098502af269@proxmox.com> From: Filip Schauer In-Reply-To: <1c63acb3-499e-40f3-8dab-a098502af269@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.054 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH container/manager v2 0/2] add deny read/write options for device passthrough X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Superseded by: https://lists.proxmox.com/pipermail/pve-devel/2024-September/065282.html On 06/09/2024 19:01, Thomas Lamprecht wrote: > Am 06/09/2024 um 14:14 schrieb Fiona Ebner: >> Am 24.07.24 um 19:18 schrieb Filip Schauer: >>> Add the deny_read and deny_write options for device passthrough, to >>> restrict container access to devices. >>> >>> This allows for passing through a device in read-only mode without >>> giving the container full access it. >>> >>> Up until now a container with a device passed through to it was granted >>> full access to that device without an option to restrict that access as >>> pointed out by @Fiona. >>> >>> Changes since v1: >>> * set default values for deny_read & deny_write >>> * remove the deny_read checkbox from the UI, since it is expected to >>> only have a very niche use case. >>> >> We could also use dashes instead of underscores, i.e. >> "deny-read"/"deny-write" as we often do for new properties. >> >> Still not fully sure we need deny_read in the backend until somebody >> complains with a sensible use case, but I guess it doesn't hurt if it's >> already there. > +1 to all above, I think going just with a deny-write option should > be enough for now, let's wait for an actual deny-read use-case before > adding it. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel