The following PRs ensure that readonly=true disk devices are now truly read-only even when using one of the QEMU proxy daemons to work around AppArmor profile and unprivileged user limitations.
We now use a host-side readonly bind mount of the source directory, which is passed to the
virtfs-proxy-helper (for 9p) and
virtiofsd (for virtio-fs) shares, providing a “belt and braces” approach by using the Linux kernel itself to enforce readonly access and don’t just rely on QEMU’s security restrictions.
And associated test updates: