From a38b4c7f17c68817c2e84df85700fc6e6e3879ff Mon Sep 17 00:00:00 2001
From: Andrew Consroe <aconz2@gmail.com>
Date: Tue, 18 Mar 2025 16:16:04 -0500
Subject: [PATCH] vmm: tighten landlock rule for PmemConfig

when discard_writes is true, only grant read access in landlock

Signed-off-by: Andrew Consroe <aconz2@gmail.com>
---
 vmm/src/vm_config.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/vmm/src/vm_config.rs b/vmm/src/vm_config.rs
index 93304e47d..1888b90b3 100644
--- a/vmm/src/vm_config.rs
+++ b/vmm/src/vm_config.rs
@@ -486,7 +486,8 @@ pub struct PmemConfig {
 
 impl ApplyLandlock for PmemConfig {
     fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
-        landlock.add_rule_with_access(self.file.to_path_buf(), "rw")?;
+        let access = if self.discard_writes { "r" } else { "rw" };
+        landlock.add_rule_with_access(self.file.to_path_buf(), access)?;
         Ok(())
     }
 }