qemu: pass guest image file readonly

So that we fobid guest from making changes to it. Fixes: #2476 Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2025-06-25 15:02:45 +00:00 · 2020-02-19 05:50:57 -08:00 · 2020-02-19 05:50:57 -08:00 · 46392945c6
commit 46392945c6
parent 63fdf5328f
3 changed files with 10 additions and 4 deletions
--- a/virtcontainers/device/config/config.go
+++ b/virtcontainers/device/config/config.go
@ -153,6 +153,9 @@ type BlockDrive struct {

 	// ShareRW enables multiple qemu instances to share the File
 	ShareRW bool
+
+	// ReadOnly sets the device file readonly
+	ReadOnly bool
 }

 // VFIODeviceType indicates VFIO device type
--- a/virtcontainers/qemu_arch_base.go
+++ b/virtcontainers/qemu_arch_base.go
@ -343,10 +343,11 @@ func genericImage(path string) (config.BlockDrive, error) {
 	id := utils.MakeNameID("image", hex.EncodeToString(randBytes), maxDevIDSize)

 	drive := config.BlockDrive{
-		File:    path,
-		Format:  "raw",
-		ID:      id,
-		ShareRW: true,
+		File:     path,
+		Format:   "raw",
+		ID:       id,
+		ShareRW:  true,
+		ReadOnly: true,
 	}

 	return drive, nil
@ -603,6 +604,7 @@ func genericBlockDevice(drive config.BlockDrive, nestedRun bool) (govmmQemu.Bloc
 		Interface:     "none",
 		DisableModern: nestedRun,
 		ShareRW:       drive.ShareRW,
+		ReadOnly:      drive.ReadOnly,
 	}, nil
 }

--- a/virtcontainers/qemu_arch_base_test.go
+++ b/virtcontainers/qemu_arch_base_test.go
@ -308,6 +308,7 @@ func TestQemuArchBaseAppendImage(t *testing.T) {
 			Format:    "raw",
 			Interface: "none",
 			ShareRW:   true,
+			ReadOnly:  true,
 		},
 	}