Anthony Liguori writes ("Re: [Qemu-devel] PATCH: Control over drive open modes for
backing file"):
Right, but my point is that ,mode=ro does not have to force QEMU to open
the file O_RDONLY. It simply needs to prevent writes from happening.
Well, yes, but actually it's probably most reliable to do it that way.
Given that this is a security feature we want to avoid accidentally
`missing' a case. So we should definitely open the underlying file(s)
O_RDONLY.
If we do that then the guest definitely won't be able to write as if
it manages to persuade qemu to try qemu will just get an error. This
is fine I think, if we can expose the read-only status to the guest.
But it's important to be able to expose this property to the guest, so
,mode=ro should not be allowed for disks that do not support exposing
their read-only-ness to the guest.
I agree that it would be an unusual thing to do, to expose a ro disk
in a way that doesn't support advertising the ro flag. But I think it
should still be possible perhaps with some kind of force option.