Forcing volumes to be qcow2 format always completely removes the issue - migration of old volumes is the issue there.
Validation of the backing chain can't just be by path / regex, as one avenue for attack is to use other tenant's volumes as backing files, which will have the correct path and name structure.
Forcing volumes to be qcow2 format always completely removes the issue - migration of old volumes is the issue there.
Validation of the backing chain can't just be by path / regex, as one avenue for attack is to use other tenant's volumes as backing files, which will have the correct path and name structure.