[pve-devel] [RFC pve-container 2/4] do not allow full access to loop devices via cgroups
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Sep 7 12:27:14 CEST 2015
and improve the device path listing
---
src/PVE/LXC.pm | 2 +-
src/lxc-pve-mount-hook | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 216c3cf..7ee887d 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1824,7 +1824,7 @@ sub blockdevices_list {
dir_glob_foreach("/sys/dev/block/", '(\d+):(\d+)', sub {
my (undef, $major, $minor) = @_;
my $bdev = readlink("/sys/dev/block/$major:$minor");
- $bdev =~ s/\.\.\/\.\.\/devices\/virtual\/block\//\/dev\//;
+ $bdev =~ s!^.*/!/dev/!;
$bdevs->{$bdev}->{major} = $major;
$bdevs->{$bdev}->{minor} = $minor;
});
diff --git a/src/lxc-pve-mount-hook b/src/lxc-pve-mount-hook
index b7d84ed..bfa58c6 100755
--- a/src/lxc-pve-mount-hook
+++ b/src/lxc-pve-mount-hook
@@ -110,7 +110,7 @@ __PACKAGE__->register_method ({
$path =~ s/\.\.\/\.\.\//\/dev\//;
}
- if ($bdevs->{$path}) {
+ if ($bdevs->{$path} && $path !~ m!^/dev/loop!) {
PVE::Tools::run_command(['mknod', '-m', '666', "$rootdir$path", 'b', $bdevs->{$path}->{major}, $bdevs->{$path}->{minor}]);
PVE::LXC::write_cgroup_value("devices", $vmid, "devices.allow", "b $bdevs->{$path}->{major}:$bdevs->{$path}->{minor} rwm");
}
--
2.1.4
More information about the pve-devel
mailing list