[pve-devel] [PATCH storage v5 14/51] qemu blockdev options: restrict allowed drivers and options
Fiona Ebner
f.ebner at proxmox.com
Wed Jul 2 20:15:03 CEST 2025
On 02.07.25 6:27 PM, Fiona Ebner wrote:
> @@ -733,7 +829,25 @@ sub qemu_blockdev_options {
> die "cannot use volume of type '$vtype' as a QEMU blockdevice\n"
> if $vtype ne 'images' && $vtype ne 'iso' && $vtype ne 'import';
>
> - return $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options);
> + my $blockdev =
> + $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options);
> +
> + if (my $driver = $blockdev->{driver}) {
> + my $allowed_opts = $allowed_qemu_blockdev_options->{$driver};
My subconscious just told me that I forgot to add a "die" here if the
driver itself is not allowed. Like this, all options will get dropped,
so it can't be abused, i.e. kinda works by accident, but should be fixed
of course.
> + for my $opt (keys $blockdev->%*) {
> + next if $opt eq 'driver';
> + if (!$allowed_opts->{$opt}) {
> + delete($blockdev->{$opt});
> + log_warn(
> + "volume '$volid' - dropping block device option '$opt' set by storage plugin"
> + . " - not currently part of allowed schema");
> + }
> + }
> + } else {
> + die "storage plugin for '$storeid' did not return a blockdev driver\n";
> + }
> +
> + return $blockdev;
> }
>
> # used as last resort to adapt volnames when migrating
More information about the pve-devel
mailing list