From 5870a5f31cacfd54ac15df1aa8f1355777849a20 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Wed, 12 Jan 2022 17:09:06 -0500
Subject: [PATCH] Disallow persistent attachment of block devices

It is very fragile.
---
 qubes/api/admin.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/qubes/api/admin.py b/qubes/api/admin.py
index f36d65c37..ea372c1be 100644
--- a/qubes/api/admin.py
+++ b/qubes/api/admin.py
@@ -1308,6 +1308,9 @@ async def vm_device_attach(self, endpoint, untrusted_payload):
         # may raise KeyError, either on domain or ident
         dev = self.app.domains[backend_domain].devices[devclass][ident]
 
+        if devclass == 'block' and persistent:
+            raise qubes.exc.QubesException('Block devices cannot be persistently attached')
+
         self.fire_event_for_permission(device=dev,
             devclass=devclass, persistent=persistent,
             options=options)