From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 448D51FF183 for ; Wed, 2 Jul 2025 20:14:37 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 530C7350BA; Wed, 2 Jul 2025 20:15:15 +0200 (CEST) Message-ID: <93a47d7d-a5b8-4623-b3fe-11811b2f1918@proxmox.com> Date: Wed, 2 Jul 2025 20:15:03 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Fiona Ebner To: pve-devel@lists.proxmox.com References: <20250702162838.393696-1-f.ebner@proxmox.com> <20250702162838.393696-15-f.ebner@proxmox.com> Content-Language: en-GB In-Reply-To: <20250702162838.393696-15-f.ebner@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.145 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.232 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH storage v5 14/51] qemu blockdev options: restrict allowed drivers and options X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 02.07.25 6:27 PM, Fiona Ebner wrote: > @@ -733,7 +829,25 @@ sub qemu_blockdev_options { > die "cannot use volume of type '$vtype' as a QEMU blockdevice\n" > if $vtype ne 'images' && $vtype ne 'iso' && $vtype ne 'import'; > > - return $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options); > + my $blockdev = > + $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options); > + > + if (my $driver = $blockdev->{driver}) { > + my $allowed_opts = $allowed_qemu_blockdev_options->{$driver}; My subconscious just told me that I forgot to add a "die" here if the driver itself is not allowed. Like this, all options will get dropped, so it can't be abused, i.e. kinda works by accident, but should be fixed of course. > + for my $opt (keys $blockdev->%*) { > + next if $opt eq 'driver'; > + if (!$allowed_opts->{$opt}) { > + delete($blockdev->{$opt}); > + log_warn( > + "volume '$volid' - dropping block device option '$opt' set by storage plugin" > + . " - not currently part of allowed schema"); > + } > + } > + } else { > + die "storage plugin for '$storeid' did not return a blockdev driver\n"; > + } > + > + return $blockdev; > } > > # used as last resort to adapt volnames when migrating _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel