From 46392945c606bef9f6c6838a3e1c9d95b95377a0 Mon Sep 17 00:00:00 2001 From: Peng Tao Date: Wed, 19 Feb 2020 05:50:57 -0800 Subject: [PATCH] qemu: pass guest image file readonly So that we fobid guest from making changes to it. Fixes: #2476 Signed-off-by: Peng Tao --- virtcontainers/device/config/config.go | 3 +++ virtcontainers/qemu_arch_base.go | 10 ++++++---- virtcontainers/qemu_arch_base_test.go | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/virtcontainers/device/config/config.go b/virtcontainers/device/config/config.go index 3a884470a7..88d844c752 100644 --- a/virtcontainers/device/config/config.go +++ b/virtcontainers/device/config/config.go @@ -153,6 +153,9 @@ type BlockDrive struct { // ShareRW enables multiple qemu instances to share the File ShareRW bool + + // ReadOnly sets the device file readonly + ReadOnly bool } // VFIODeviceType indicates VFIO device type diff --git a/virtcontainers/qemu_arch_base.go b/virtcontainers/qemu_arch_base.go index 9eff2c7405..5c9e1fb2eb 100644 --- a/virtcontainers/qemu_arch_base.go +++ b/virtcontainers/qemu_arch_base.go @@ -343,10 +343,11 @@ func genericImage(path string) (config.BlockDrive, error) { id := utils.MakeNameID("image", hex.EncodeToString(randBytes), maxDevIDSize) drive := config.BlockDrive{ - File: path, - Format: "raw", - ID: id, - ShareRW: true, + File: path, + Format: "raw", + ID: id, + ShareRW: true, + ReadOnly: true, } return drive, nil @@ -603,6 +604,7 @@ func genericBlockDevice(drive config.BlockDrive, nestedRun bool) (govmmQemu.Bloc Interface: "none", DisableModern: nestedRun, ShareRW: drive.ShareRW, + ReadOnly: drive.ReadOnly, }, nil } diff --git a/virtcontainers/qemu_arch_base_test.go b/virtcontainers/qemu_arch_base_test.go index e95dd85ed9..e3edad17de 100644 --- a/virtcontainers/qemu_arch_base_test.go +++ b/virtcontainers/qemu_arch_base_test.go @@ -308,6 +308,7 @@ func TestQemuArchBaseAppendImage(t *testing.T) { Format: "raw", Interface: "none", ShareRW: true, + ReadOnly: true, }, }