From eae62ca9ac6cefd49f52e377b79922d3cfcb0bd8 Mon Sep 17 00:00:00 2001
From: "alex.lyn" <alex.lyn@antgroup.com>
Date: Wed, 25 Jun 2025 17:29:43 +0800
Subject: [PATCH] runtime-rs: Support shared fs with "none" on non-tee
 platforms

This commit introduces the ability to run Pods without shared fs
mechanism in Kata.

The default shared fs can lead to unnecessary resource consumption
and security risks for certain use cases. Specifically, scenarios
where files only need to be copied into the VM once at Pod creation
(e.g., non-tee envs) and don't require dynamic updates make the shared
fs redundant and inefficient.

By explicitly disabling shared fs functionality, we reduce resource
overhead and shrink the attack surface. Users will need to employ
alternative methods(e.g. guest-pull) to ensure container images are
shared into the guest VM for these specific scenarios.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
---
 src/runtime-rs/crates/hypervisor/src/qemu/inner.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
index 86765c3210..55e7b9d7b7 100644
--- a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
@@ -389,7 +389,9 @@ impl QemuInner {
         let mut caps = Capabilities::default();
 
         // Confidential Guest doesn't permit virtio-fs.
-        let flags = if self.hypervisor_config().security_info.confidential_guest {
+        let flags = if self.hypervisor_config().security_info.confidential_guest
+            || self.hypervisor_config().shared_fs.shared_fs.is_none()
+        {
             CapabilityBits::BlockDeviceSupport | CapabilityBits::BlockDeviceHotplugSupport
         } else {
             CapabilityBits::BlockDeviceSupport