lxd/project: Allow managed volumes under "allow"

There are currently three valid values for `restricted.devices.disk`. `block` will block everything, `managed` allows only managed volumes and `allow` allows not only managed volumes but also other types like shared host paths. When under `allow`, `restricted.devices.disk.paths` can be used to limit the host paths that can be passed into the instance. But that particular restriction should only apply to unmanaged volumes. Closes lxc/incus#706 Signed-off-by: Stéphane Graber <[email protected]> (cherry picked from commit 54bb8dd4e1ac6a49dfff66edacbd54948ea219b6) Signed-off-by: Wesley Hershberger <[email protected]> License: Apache-2.0
canonical · Aug 30, 2024 · 5ebca77 · 5ebca77
1 parent 4c020e2
commit 5ebca77
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
@@ -642,10 +642,11 @@ func checkRestrictions(project api.Project, instances []api.Instance, profiles [
 					}
 
 				case "allow":
-					var allowed bool
-					allowed, _ = CheckRestrictedDevicesDiskPaths(project.Config, device["source"])
-					if !allowed {
-						return fmt.Errorf("Disk source path %q not allowed", device["source"])
+					if device["pool"] == "" {
+						allowed, _ := CheckRestrictedDevicesDiskPaths(project.Config, device["source"])
+						if !allowed {
+							return fmt.Errorf("Disk source path %q not allowed", device["source"])
+						}
 					}
 				}