[pve-devel] [RFC pve-container 2/4] do not allow full access to loop devices via cgroups

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Sep 7 12:27:14 CEST 2015


and improve the device path listing
---
 src/PVE/LXC.pm         | 2 +-
 src/lxc-pve-mount-hook | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 216c3cf..7ee887d 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1824,7 +1824,7 @@ sub blockdevices_list {
     dir_glob_foreach("/sys/dev/block/", '(\d+):(\d+)', sub {
         my (undef, $major, $minor) = @_;
         my $bdev = readlink("/sys/dev/block/$major:$minor");
-        $bdev =~ s/\.\.\/\.\.\/devices\/virtual\/block\//\/dev\//;
+        $bdev =~ s!^.*/!/dev/!;
         $bdevs->{$bdev}->{major} = $major;
         $bdevs->{$bdev}->{minor} = $minor;
     });
diff --git a/src/lxc-pve-mount-hook b/src/lxc-pve-mount-hook
index b7d84ed..bfa58c6 100755
--- a/src/lxc-pve-mount-hook
+++ b/src/lxc-pve-mount-hook
@@ -110,7 +110,7 @@ __PACKAGE__->register_method ({
 		$path =~ s/\.\.\/\.\.\//\/dev\//;
 	    }
 
-	    if ($bdevs->{$path}) {
+	    if ($bdevs->{$path} && $path !~ m!^/dev/loop!) {
 		PVE::Tools::run_command(['mknod', '-m', '666', "$rootdir$path", 'b',  $bdevs->{$path}->{major}, $bdevs->{$path}->{minor}]);
 		PVE::LXC::write_cgroup_value("devices", $vmid, "devices.allow", "b $bdevs->{$path}->{major}:$bdevs->{$path}->{minor} rwm");
 	    }
-- 
2.1.4





More information about the pve-devel mailing list