From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH container v9 1/1] check_ct_modify_config_perm: improve tag privilege check
Date: Mon, 14 Nov 2022 10:43:50 +0100 [thread overview]
Message-ID: <20221114094404.1241050-7-d.csapak@proxmox.com> (raw)
In-Reply-To: <20221114094404.1241050-1-d.csapak@proxmox.com>
'normal' tags require 'VM.Config.Options' on '/vm/<vmid>', but not
allowed tags (either limited with 'user-tag-access' or 'privileged-tags'
in the datacenter config) require 'Sys.Modify' on '/'
this patch implements the proper checks on adding/editing/deleting
these permissions
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
changes from v8:
* adapt to 'get_allowed_tags'
* cache privilege checks (so we don't have to do it when many tags change)
src/PVE/LXC.pm | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 4bbd739..44dee7e 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1336,6 +1336,48 @@ sub check_ct_modify_config_perm {
} elsif ($opt eq 'hookscript') {
# For now this is restricted to root@pam
raise_perm_exc("changing the hookscript is only allowed for root\@pam");
+ } elsif ($opt eq 'tags') {
+ my $allowed_tags;
+ my $privileged_tags;
+ my $freeform;
+ my $privileged_user = $rpcenv->check($authuser, '/', ['Sys.Modify'], 1);
+ my $has_config_options =
+ $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'], 1);
+
+ my $check_tag_perms = sub {
+ my ($tag) = @_;
+
+ return if $privileged_user;
+
+ $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'])
+ if !$has_config_options;
+
+ if (!defined($allowed_tags) && !defined($privileged_tags) && !defined($freeform)) {
+ ($allowed_tags, $privileged_tags, $freeform)
+ = PVE::DataCenterConfig::get_allowed_tags($rpcenv, $authuser);
+ }
+
+ if ((!$allowed_tags->{$tag} && !$freeform) || $privileged_tags->{$tag}) {
+ die "'Sys.Modify' required on '/' for modifying tag $tag\n" if !$privileged_user;
+ }
+ };
+
+ my $old_tags = {};
+ my $new_tags = {};
+
+ map { $old_tags->{$_} += 1 } PVE::Tools::split_list($oldconf->{$opt} // '');
+ map { $new_tags->{$_} += 1 } PVE::Tools::split_list($newconf->{$opt});
+
+ my $check_tags = sub {
+ my ($a, $b) = @_;
+ foreach my $tag (keys %$a) {
+ next if ($b->{$tag} // 0) == ($a->{$tag} // 0);
+ $check_tag_perms->($tag);
+ }
+ };
+
+ $check_tags->($old_tags, $new_tags);
+ $check_tags->($new_tags, $old_tags);
} else {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
}
--
2.30.2
next prev parent reply other threads:[~2022-11-14 9:44 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-14 9:43 [pve-devel] [PATCH cluster/qemu-server/container/wt/manager v9] add tags to ui Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH cluster v9 1/4] add CFS_IPC_GET_GUEST_CONFIG_PROPERTIES method Dominik Csapak
2022-11-14 13:15 ` Wolfgang Bumiller
2022-11-14 9:43 ` [pve-devel] [PATCH cluster v9 2/4] Cluster: add get_guest_config_properties Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH cluster v9 3/4] datacenter.cfg: add option for tag-style Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH cluster v9 4/4] datacenter.cfg: add tag rights control to the datacenter config Dominik Csapak
2022-11-14 13:32 ` Wolfgang Bumiller
2022-11-14 9:43 ` [pve-devel] [PATCH qemu-server v9 1/1] api: update: improve tag privilege check Dominik Csapak
2022-11-14 13:37 ` Wolfgang Bumiller
2022-11-15 8:34 ` Aaron Lauterer
2022-11-14 9:43 ` Dominik Csapak [this message]
2022-11-14 13:37 ` [pve-devel] [PATCH container v9 1/1] check_ct_modify_config_perm: " Wolfgang Bumiller
2022-11-14 9:43 ` [pve-devel] [PATCH widget-toolkit v9 1/2] add tag related helpers Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH widget-toolkit v9 2/2] Toolkit: add override for Ext.dd.DragDropManager Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH manager v9 01/12] api: /cluster/resources: add tags to returned properties Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH manager v9 02/12] api: add /ui-options api call Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH manager v9 03/12] ui: call '/ui-options' and save the result in PVE.UIOptions Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH manager v9 04/12] ui: parse and save tag infos from /ui-options Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH manager v9 05/12] ui: add form/TagColorGrid Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH manager v9 06/12] ui: add PVE.form.ListField Dominik Csapak
2022-11-14 9:43 ` [pve-devel] [PATCH manager v9 07/12] ui: dc/OptionView: add editors for tag settings Dominik Csapak
2022-11-14 9:44 ` [pve-devel] [PATCH manager v9 08/12] ui: add form/Tag Dominik Csapak
2022-11-14 9:44 ` [pve-devel] [PATCH manager v9 09/12] ui: add form/TagEdit.js Dominik Csapak
2022-11-14 9:44 ` [pve-devel] [PATCH manager v9 10/12] ui: {lxc, qemu}/Config: show Tags and make them editable Dominik Csapak
2022-11-14 9:44 ` [pve-devel] [PATCH manager v9 11/12] ui: tree/ResourceTree: show Tags in tree Dominik Csapak
2022-11-14 9:44 ` [pve-devel] [PATCH manager v9 12/12] ui: add tags to ResourceGrid and GlobalSearchField Dominik Csapak
2022-11-14 17:20 ` [pve-devel] [PATCH cluster/qemu-server/container/wt/manager v9] add tags to ui Aaron Lauterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221114094404.1241050-7-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.