[pve-devel] container block device access

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Sep 7 11:58:52 CEST 2015


I'm currently cleaning up the loop-devices code and am getting rid of
pretty much all of it for security reasons and ease of handling.

For one, losetup's listed paths aren't always accurate when
mount-namespaces are involved (you get a path relative to the
root of the filesystem the file resides on, eg I get
/images/104/vm-104-disk-1.raw instead of the whole /var/lib/vz/...)

More importantly if a container has full access to a loop device it can
detach the device, freeing it up to be used for the next container that
starts, after which it has full access to that other container's disk
attached to the same loop device. This is unacceptable.

@Alexandre: what's the reason for the cgroup devices.allow listing? This
is the part that concerns me. It's fine for non-loop devices, but with
loop devices this is a problem.
IIRC it was something about resizing, but I'm going to handle this from
the outside via an API call, so the container wouldn't be required to
access the loop device directly anymore.
Is there anything else to consider? Otherwise the loopdevice code will
be replaced in favor of `-o loop` as this sets the autoclear flag, which
means we don't need to cleanup after loops manually at all.



More information about the pve-devel mailing list