pass device names to the helper

paths are somewhat trivial to exploit. instead resolve them to the
actual block device names under /dev/ and pass that into the privileged
helper. the helper then only needs to verify that $name is in fact a
block device under /dev/.
since unprivileged processes cannot create files in /dev/ directly, let
alone block devices, this should give us a very reliable way of
preventing abuse.