[pve-devel] [PATCH storage] check volume access: handle new 'ct-vol' and 'vm-vol' vtypes

Fiona Ebner f.ebner at proxmox.com
Wed Jul 30 15:23:13 CEST 2025 

In the tests, legacy volids resulting in 'images' vtype will be
allowed for both 'ct-vol' and 'vm-vol'.

New test cases for new-form guest image volids are added too.

Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---

Is based on top of Wolfgang's staff repo as well as [0].

[0]: https://lore.proxmox.com/pve-devel/20250730130506.96278-1-f.ebner@proxmox.com/T/#u

 src/PVE/Storage.pm                  | 31 ++++++++++++++++++---
 src/test/run_volume_access_tests.pl | 43 +++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Storage.pm b/src/PVE/Storage.pm
index 91a0278..e6dabc3 100755
--- a/src/PVE/Storage.pm
+++ b/src/PVE/Storage.pm
@@ -646,9 +646,32 @@ sub check_volume_access {
     if ($sid) {
         my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
 
-        # Need to allow 'images' when expecting 'rootdir' too - not cleanly separated in plugins.
-        die "unable to use volume $volid - content type needs to be '$type'\n"
-            if defined($type) && $vtype ne $type && ($type ne 'rootdir' || $vtype ne 'images');
+        my $is_guest_image_vtype =
+            $vtype eq 'ct-vol' || $vtype eq 'vm-vol' || $vtype eq 'images' || $vtype eq 'rootdir';
+
+        if (defined($type)) {
+            my $msg = "unable to use volume $volid - volume type needs to be '$type'";
+
+            # TODO PVE 10.x die or remove completely, once all callers are adapted
+            $type = 'vm-vol' if $type eq 'images';
+            $type = 'ct-vol' if $type eq 'rootdir';
+
+            if ($is_guest_image_vtype) {
+                if ($type eq 'vm-vol') {
+                    die "$msg or 'images'\n" if $vtype ne $type && $vtype ne 'images';
+                } elsif ($type eq 'ct-vol') {
+                    # need to allow 'images' when expecting 'ct-vol' too for backwards-compat
+                    die "$msg or 'rootdir' or 'images'\n"
+                        if $vtype ne $type && $vtype ne 'rootdir' && $vtype ne 'images';
+                } else {
+                    # $type is not for guest-images, but $vtype is, disallow
+                    die "$msg\n";
+                }
+            } else {
+                # can check directly
+                die "$msg\n" if $vtype ne $type;
+            }
+        }
 
         return if $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate'], 1);
 
@@ -664,7 +687,7 @@ sub check_volume_access {
         } elsif ($vtype eq 'backup' && $ownervm) {
             $rpcenv->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
             $rpcenv->check($user, "/vms/$ownervm", ['VM.Backup']);
-        } elsif (($vtype eq 'images' || $vtype eq 'rootdir') && $ownervm) {
+        } elsif ($is_guest_image_vtype && $ownervm) {
             $rpcenv->check($user, "/storage/$sid", ['Datastore.Audit']);
             $rpcenv->check($user, "/vms/$ownervm", ['VM.Config.Disk']);
         } else {
diff --git a/src/test/run_volume_access_tests.pl b/src/test/run_volume_access_tests.pl
index ce9fc2e..9744b65 100755
--- a/src/test/run_volume_access_tests.pl
+++ b/src/test/run_volume_access_tests.pl
@@ -78,6 +78,28 @@ my @tests = (
             'backup' => 1,
         },
     },
+    {
+        volid => 'dir:100/vol-vm-100-disk-0.qcow2',
+        denied_users => {
+            'backup at pve' => 1,
+            'dsaudit at pve' => 1,
+        },
+        allowed_types => {
+            'images' => 1,
+            'vm-vol' => 1,
+        },
+    },
+    {
+        volid => 'dir:100/vol-ct-100-disk-0.raw',
+        denied_users => {
+            'backup at pve' => 1,
+            'dsaudit at pve' => 1,
+        },
+        allowed_types => {
+            'rootdir' => 1,
+            'ct-vol' => 1,
+        },
+    },
     {
         volid => 'dir:100/vm-100-disk-0.qcow2',
         denied_users => {
@@ -87,6 +109,8 @@ my @tests = (
         allowed_types => {
             'images' => 1,
             'rootdir' => 1,
+            'ct-vol' => 1,
+            'vm-vol' => 1,
         },
     },
     {
@@ -105,6 +129,17 @@ my @tests = (
             'iso' => 1,
         },
     },
+    {
+        volid => 'dir:111/subvol-ct-111-disk-0.subvol',
+        denied_users => {
+            'backup at pve' => 1,
+            'dsaudit at pve' => 1,
+        },
+        allowed_types => {
+            'rootdir' => 1,
+            'ct-vol' => 1,
+        },
+    },
     {
         volid => 'dir:111/subvol-111-disk-0.subvol',
         denied_users => {
@@ -114,6 +149,8 @@ my @tests = (
         allowed_types => {
             'images' => 1,
             'rootdir' => 1,
+            'ct-vol' => 1,
+            'vm-vol' => 1,
         },
     },
     # test different VM IDs
@@ -138,6 +175,8 @@ my @tests = (
         allowed_types => {
             'images' => 1,
             'rootdir' => 1,
+            'ct-vol' => 1,
+            'vm-vol' => 1,
         },
     },
     {
@@ -155,6 +194,8 @@ my @tests = (
         allowed_types => {
             'images' => 1,
             'rootdir' => 1,
+            'ct-vol' => 1,
+            'vm-vol' => 1,
         },
     },
     {
@@ -184,6 +225,8 @@ my @tests = (
         allowed_types => {
             'images' => 1,
             'rootdir' => 1,
+            'ct-vol' => 1,
+            'vm-vol' => 1,
         },
     },
     # test paths
-- 
2.47.2

More information about the pve-devel mailing list