[pve-devel] [RFC v2 pve-container 2/4] fix block device access

[Wolfgang Bumiller]

-) The condition was apparently to ignore /dev/ paths while
   that's actually what it was supposed to handle... (other
   paths aren't devices...).
-) Get rid of the blockdevices_list heuristics, it doesn't
   work reliably for all types of devices.
-) Check whether a device is a block device via S_ISBLK on
   the device file.
-) Don't try to follow symlinks as the name we provide in
   the mp config is the name we want in the container.
-) Blacklisted loop devices as they pose a security risk.
---
 src/PVE/LXC.pm         | 13 -------------
 src/lxc-pve-mount-hook | 21 ++++++++++-----------
 2 files changed, 10 insertions(+), 24 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 216c3cf..7f11ba0 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1818,19 +1818,6 @@ sub foreach_mountpoint_reverse {
     foreach_mountpoint_full($conf, 1, $func);
 }
 
-sub blockdevices_list {
-
-    my $bdevs = {};
-    dir_glob_foreach("/sys/dev/block/", '(\d+):(\d+)', sub {
-        my (undef, $major, $minor) = @_;
-        my $bdev = readlink("/sys/dev/block/$major:$minor");
-        $bdev =~ s/\.\.\/\.\.\/devices\/virtual\/block\//\/dev\//;
-        $bdevs->{$bdev}->{major} = $major;
-        $bdevs->{$bdev}->{minor} = $minor;
-    });
-    return $bdevs;
-}
-
 sub check_ct_modify_config_perm {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 
diff --git a/src/lxc-pve-mount-hook b/src/lxc-pve-mount-hook
index b7d84ed..41a25cf 100755
--- a/src/lxc-pve-mount-hook
+++ b/src/lxc-pve-mount-hook
@@ -7,6 +7,7 @@ exit 0 if $ENV{LXC_NAME} && $ENV{LXC_NAME} !~ /^\d+$/;
 
 use POSIX;
 use File::Path;
+use Fcntl ':mode';
 
 use PVE::SafeSyslog;
 use PVE::Tools;
@@ -88,8 +89,6 @@ __PACKAGE__->register_method ({
 	$raw = -f $fn ? PVE::Tools::file_get_contents($fn) : '';
 	my $storage_cfg = PVE::Storage::Plugin->parse_config($fn, $raw);
 
-	my $bdevs = PVE::LXC::blockdevices_list();
-
 	my $setup_mountpoint = sub {
 	    my ($ms, $mountpoint) = @_;
 
@@ -101,18 +100,18 @@ __PACKAGE__->register_method ({
 	    my ($ms, $mountpoint) = @_;
 
 	    my $volid = $mountpoint->{volume};
-	    return if !$volid || $volid =~ m|^/dev/.+|;
+	    return if !$volid || $volid !~ m|^/dev/.+|;
 
 	    my $path = PVE::LXC::mountpoint_mount_path($mountpoint, $storage_cfg);
 
-	    if (-l $path) {
-		$path = readlink($path);
-		$path =~ s/\.\.\/\.\.\//\/dev\//;
-	    }
-
-	    if ($bdevs->{$path}) {
-		PVE::Tools::run_command(['mknod', '-m', '666', "$rootdir$path", 'b',  $bdevs->{$path}->{major}, $bdevs->{$path}->{minor}]);
-		PVE::LXC::write_cgroup_value("devices", $vmid, "devices.allow", "b $bdevs->{$path}->{major}:$bdevs->{$path}->{minor} rwm");
+	    my (undef, undef, $mode, undef, undef, undef, $rdev) = stat($path);
+	    if ($mode && S_ISBLK($mode) && $rdev) {
+		my $major = int($rdev / 0x100);
+		my $minor = $rdev % 0x100;
+		if ($major != 7) { # must not be a loop device
+		    PVE::Tools::run_command(['mknod', '-m', '666', "$rootdir$path", 'b', $major, $minor]);
+		    PVE::LXC::write_cgroup_value("devices", $vmid, "devices.allow", "b ${major}:${minor} rwm");
+		}
 	    }
 	};
 
-- 
2.1.4