From 5ebca77438e87dd267fe2fe6fffed3c8c040f5ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Sat, 30 Mar 2024 11:45:20 -0400
Subject: [PATCH 1/2] lxd/project: Allow managed volumes under "allow"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There are currently three valid values for `restricted.devices.disk`.

`block` will block everything, `managed` allows only managed volumes and
`allow` allows not only managed volumes but also other types like shared
host paths.

When under `allow`, `restricted.devices.disk.paths` can be used to limit
the host paths that can be passed into the instance.

But that particular restriction should only apply to unmanaged volumes.

Closes https://github.com/lxc/incus/issues/706

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit 54bb8dd4e1ac6a49dfff66edacbd54948ea219b6)
Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
License: Apache-2.0
---
 lxd/project/permissions.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
index 1859b3c9a164..323788063d7a 100644
--- a/lxd/project/permissions.go
+++ b/lxd/project/permissions.go
@@ -642,10 +642,11 @@ func checkRestrictions(project api.Project, instances []api.Instance, profiles [
 					}
 
 				case "allow":
-					var allowed bool
-					allowed, _ = CheckRestrictedDevicesDiskPaths(project.Config, device["source"])
-					if !allowed {
-						return fmt.Errorf("Disk source path %q not allowed", device["source"])
+					if device["pool"] == "" {
+						allowed, _ := CheckRestrictedDevicesDiskPaths(project.Config, device["source"])
+						if !allowed {
+							return fmt.Errorf("Disk source path %q not allowed", device["source"])
+						}
 					}
 				}
 

From 29dd916d1325d2f2224e70e00e054c41578bb068 Mon Sep 17 00:00:00 2001
From: Wesley Hershberger <wesley.hershberger@canonical.com>
Date: Tue, 3 Sep 2024 17:32:12 -0500
Subject: [PATCH 2/2] test: restricted.devices.disk project restrictions

Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
---
 test/suites/projects.sh | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/test/suites/projects.sh b/test/suites/projects.sh
index b34fad3a4d1d..738cbe275f3d 100644
--- a/test/suites/projects.sh
+++ b/test/suites/projects.sh
@@ -972,6 +972,28 @@ test_projects_restrictions() {
   lxc project set p1 restricted.devices.disk=block
   ! lxc profile device add default data disk pool="${pool}" path=/mnt source="v-proj$$" || false
 
+  restrictedDir="/opt/projects_restricted"
+  mkdir "${restrictedDir}"
+  tmpDir=$(mktemp -d)
+  optDir=$(mktemp -d --tmpdir="${restrictedDir}")
+
+  # Block unmanaged disk devices
+  lxc project set p1 restricted.devices.disk=managed
+  ! lxc profile device add default data disk path=/mnt source="${tmpDir}" || false
+
+  # Allow unmanaged disk devices
+  lxc project set p1 restricted.devices.disk=allow
+  lxc profile device add default data disk path=/mnt source="${tmpDir}"
+  lxc profile device remove default data
+
+  # Path restrictions
+  lxc project set p1 restricted.devices.disk.paths="${restrictedDir}"
+  ! lxc profile device add default data disk path=/mnt source="${tmpDir}" || false
+  lxc profile device add default data disk path=/mnt source="${optDir}"
+  lxc profile device remove default data
+
+  rm -r "${tmpDir}" "${optDir}" "${restrictedDir}"
+
   # Setting restricted.containers.nesting to 'allow' makes it possible to create
   # nested containers.
   lxc project set p1 restricted.containers.nesting=allow