fix block device access

-) The condition was apparently to ignore /dev/ paths while
   that's actually what it was supposed to handle... (other
   paths aren't devices...).
-) Get rid of the blockdevices_list heuristics, it doesn't
   work reliably for all types of devices.
-) Check whether a device is a block device via S_ISBLK on
   the device file.
-) Don't try to follow symlinks as the name we provide in
   the mp config is the name we want in the container.
-) Blacklisted loop devices as they pose a security risk.

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 216c3cf991a7b4d4c332502d24f374c31324817a..7f11ba0a5955b59a801df637a083a204e8706a69 100644 (file)
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1818,19 +1818,6 @@ sub foreach_mountpoint_reverse {
     foreach_mountpoint_full($conf, 1, $func);
 }
 
-sub blockdevices_list {
-
-    my $bdevs = {};
-    dir_glob_foreach("/sys/dev/block/", '(\d+):(\d+)', sub {
-        my (undef, $major, $minor) = @_;
-        my $bdev = readlink("/sys/dev/block/$major:$minor");
-        $bdev =~ s/\.\.\/\.\.\/devices\/virtual\/block\//\/dev\//;
-        $bdevs->{$bdev}->{major} = $major;
-        $bdevs->{$bdev}->{minor} = $minor;
-    });
-    return $bdevs;
-}
-
 sub check_ct_modify_config_perm {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 

diff --git a/src/lxc-pve-mount-hook b/src/lxc-pve-mount-hook
index b7d84edd57c096ade77749f296ba1c92f5c8e4b4..41a25cf54061a361e518be1a2b121e538c0a10c9 100755 (executable)
--- a/src/lxc-pve-mount-hook
+++ b/src/lxc-pve-mount-hook
@@ -7,6 +7,7 @@ exit 0 if $ENV{LXC_NAME} && $ENV{LXC_NAME} !~ /^\d+$/;
 
 use POSIX;
 use File::Path;
+use Fcntl ':mode';
 
 use PVE::SafeSyslog;
 use PVE::Tools;
@@ -88,8 +89,6 @@ __PACKAGE__->register_method ({
        $raw = -f $fn ? PVE::Tools::file_get_contents($fn) : '';
        my $storage_cfg = PVE::Storage::Plugin->parse_config($fn, $raw);
 
-       my $bdevs = PVE::LXC::blockdevices_list();
-
        my $setup_mountpoint = sub {
            my ($ms, $mountpoint) = @_;
 
@@ -101,18 +100,18 @@ __PACKAGE__->register_method ({
            my ($ms, $mountpoint) = @_;
 
            my $volid = $mountpoint->{volume};
-           return if !$volid || $volid =~ m|^/dev/.+|;
+           return if !$volid || $volid !~ m|^/dev/.+|;
 
            my $path = PVE::LXC::mountpoint_mount_path($mountpoint, $storage_cfg);
 
-           if (-l $path) {
-               $path = readlink($path);
-               $path =~ s/\.\.\/\.\.\//\/dev\//;
-           }
-
-           if ($bdevs->{$path}) {
-               PVE::Tools::run_command(['mknod', '-m', '666', "$rootdir$path", 'b',  $bdevs->{$path}->{major}, $bdevs->{$path}->{minor}]);
-               PVE::LXC::write_cgroup_value("devices", $vmid, "devices.allow", "b $bdevs->{$path}->{major}:$bdevs->{$path}->{minor} rwm");
+           my (undef, undef, $mode, undef, undef, undef, $rdev) = stat($path);
+           if ($mode && S_ISBLK($mode) && $rdev) {
+               my $major = int($rdev / 0x100);
+               my $minor = $rdev % 0x100;
+               if ($major != 7) { # must not be a loop device
+                   PVE::Tools::run_command(['mknod', '-m', '666', "$rootdir$path", 'b', $major, $minor]);
+                   PVE::LXC::write_cgroup_value("devices", $vmid, "devices.allow", "b ${major}:${minor} rwm");
+               }
            }
        };