Readonly share support

Forist2034 · web-flow · commit b9206e245c07 · 2025-09-17T14:47:02.000+02:00
diff --git a/lib/runners/crosvm.nix b/lib/runners/crosvm.nix
@@ -100,11 +100,13 @@ in {
         ]
       ) volumes
       ++
-      builtins.concatMap ({ proto, tag, source, socket, ... }: {
+      builtins.concatMap ({ proto, tag, source, socket, readOnly, ... }: {
         "virtiofs" = [
           "--vhost-user" "type=fs,socket=${socket}"
         ];
-        "9p" = [
+        "9p" = if readOnly then
+          throw "Readonly 9p share is not supported"
+        else [
           "--shared-dir" "${source}:${tag}:type=p9"
         ];
       }.${proto}) shares
diff --git a/lib/runners/kvmtool.nix b/lib/runners/kvmtool.nix
@@ -59,9 +59,11 @@ in {
         ]
       ) volumes
       ++
-      builtins.concatMap ({ proto, source, tag, ... }:
+      builtins.concatMap ({ proto, source, tag, readOnly, ... }:
         if proto == "9p"
-        then [
+        then if readOnly then
+          throw "kvmtool does not support readonly 9p share"
+        else [
           "--9p" (lib.escapeShellArg "${source},${tag}")
         ] else throw "virtiofs shares not implemented for kvmtool"
       ) shares
diff --git a/lib/runners/qemu.nix b/lib/runners/qemu.nix
@@ -253,13 +253,13 @@ lib.warnIf (mem == 2048) ''
         "-numa" "node,memdev=mem"
         "-object" "memory-backend-memfd,id=mem,size=${toString mem}M,share=on"
       ]) ++
-      builtins.concatMap ({ proto, index, socket, source, tag, securityModel, ... }: {
+      builtins.concatMap ({ proto, index, socket, source, tag, securityModel, readOnly, ... }: {
         "virtiofs" = [
           "-chardev" "socket,id=fs${toString index},path=${socket}"
           "-device" "vhost-user-fs-${devType},chardev=fs${toString index},tag=${tag}"
         ];
         "9p" = [
-          "-fsdev" "local,id=fs${toString index},path=${source},security_model=${securityModel}"
+          "-fsdev" "local,id=fs${toString index},path=${source},security_model=${securityModel},readonly=${lib.boolToString readOnly}"
           "-device" "virtio-9p-${devType},fsdev=fs${toString index},mount_tag=${tag}"
         ];
       }.${proto}) (enumerate 0 shares)
diff --git a/nixos-modules/microvm/options.nix b/nixos-modules/microvm/options.nix
@@ -371,6 +371,11 @@ in
             description = "Protocol for this share";
             default = "9p";
           };
+          readOnly = mkOption {
+            type = bool;
+            description = "Turn off write access";
+            default = false;
+          };
         };
       }));
     };
diff --git a/nixos-modules/microvm/virtiofsd/default.nix b/nixos-modules/microvm/virtiofsd/default.nix
@@ -28,7 +28,7 @@ in
             events = "PROCESS_STATE";
           };
         } // builtins.listToAttrs (
-          map ({ tag, socket, source, ... }: {
+          map ({ tag, socket, source, readOnly, ... }: {
             name = "program:virtiofsd-${tag}";
             value = {
               stderr_syslog = true;
@@ -55,6 +55,7 @@ in
                   ${lib.optionalString (config.microvm.hypervisor == "crosvm")
                     "--tag=${tag}"
                   } \
+                  ${lib.optionalString readOnly "--readonly"} \
                   ${lib.concatStringsSep " " config.microvm.virtiofsd.extraArgs}
               '';
             };
