mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-11 04:42:16 +00:00
782cd2ed10
git-subtree-dir: tools/packaging git-subtree-mainline:f818b46a41git-subtree-split:1f22d72d5dSigned-off-by: Peng Tao <bergwolf@hyper.sh>
46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
From 3a6e5e157f355b3c42b6c2a0c85b4acaba849ac3 Mon Sep 17 00:00:00 2001
|
|
From: Julio Montes <julio.montes@intel.com>
|
|
Date: Mon, 8 Jul 2019 21:19:36 +0000
|
|
Subject: [PATCH 2/2] memory-backend-file/nvdimm: support read-only files as
|
|
memory-backends
|
|
|
|
Currently it is not possible to use a file that is part of a read-only
|
|
filesystem as memory backend for nvdimm devices, even if the file itself
|
|
is not modified in the guest. Same goes for files that do not have write access.
|
|
In order to improve the security of Virtual Machines that share
|
|
and do not modify the memory-backend-file, QEMU should support
|
|
read-only memory-backends.
|
|
|
|
Use case:
|
|
* Kata Containers use a memory-backed-file as read-only rootfs, and this
|
|
file is used to start all the virtual machines in the node.
|
|
It would be really bad if somehow a malicious container modified it.
|
|
|
|
Signed-off-by: Julio Montes <julio.montes@intel.com>
|
|
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
|
|
Message-Id: <20190708211936.8037-1-julio.montes@intel.com>
|
|
---
|
|
exec.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/exec.c b/exec.c
|
|
index 2874bb5088..ba2fff234b 100644
|
|
--- a/exec.c
|
|
+++ b/exec.c
|
|
@@ -1781,6 +1781,12 @@ static int file_ram_open(const char *path,
|
|
break;
|
|
}
|
|
g_free(filename);
|
|
+ } else if (errno == EROFS || errno == EACCES) {
|
|
+ fd = open(path, O_RDONLY);
|
|
+ if (fd >= 0) {
|
|
+ /* @path names an existing read-only file, use it */
|
|
+ break;
|
|
+ }
|
|
}
|
|
if (errno != EEXIST && errno != EINTR) {
|
|
error_setg_errno(errp, errno,
|
|
--
|
|
2.21.0
|
|
|