[pve-devel] [PATCH qemu-server v6 2/3] Permission check for virtiofs directory access

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: Markus Frank <m.frank@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH qemu-server v6 2/3] Permission check for virtiofs directory access
Date: Thu,  6 Jul 2023 12:54:15 +0200	[thread overview]
Message-ID: <20230706105421.54949-6-m.frank@proxmox.com> (raw)
In-Reply-To: <20230706105421.54949-1-m.frank@proxmox.com>

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 PVE/API2/Qemu.pm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index d0c199b..2048e4a 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -585,6 +585,19 @@ my $check_vm_create_serial_perm = sub {
     return 1;
 };
 
+my sub check_vm_dir_perm {
+    my ($rpcenv, $authuser, $param) = @_;
+
+    return 1 if $authuser eq 'root@pam';
+
+    foreach my $opt (keys %{$param}) {
+	next if $opt !~ m/^virtiofs\d+$/;
+	my $virtiofs = PVE::JSONSchema::parse_property_string('pve-qm-virtiofs', $param->{$opt});
+	$rpcenv->check_full($authuser, "/mapping/dir/$virtiofs->{dirid}", ['Mapping.Use']);
+    }
+    return 1;
+};
+
 my sub check_usb_perm {
     my ($rpcenv, $authuser, $vmid, $pool, $opt, $value) = @_;
 
@@ -686,6 +699,8 @@ my $check_vm_modify_config_perm = sub {
 	    # the user needs Disk and PowerMgmt privileges to change the vmstate
 	    # also needs privileges on the storage, that will be checked later
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk', 'VM.PowerMgmt' ]);
+	} elsif ($opt =~ m/^virtiofs\d$/) {
+	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
 	} else {
 	    # catches args, lock, etc.
 	    # new options will be checked here
@@ -924,6 +939,7 @@ __PACKAGE__->register_method({
 
 	    &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [ keys %$param]);
 
+	    check_vm_dir_perm($rpcenv, $authuser, $param);
 	    &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $param);
 	    check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param);
 	    check_vm_create_hostpci_perm($rpcenv, $authuser, $vmid, $pool, $param);
@@ -1646,6 +1662,8 @@ my $update_vm_api  = sub {
 
     &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [keys %$param]);
 
+    check_vm_dir_perm($rpcenv, $authuser, $param);
+
     &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);
 
     PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $param);
-- 
2.39.2

next prev parent reply	other threads:[~2023-07-06 10:54 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-06 10:54 [pve-devel] [PATCH cluster/guest-common/qemu-server/manager v6 0/11] virtiofs Markus Frank
2023-07-06 10:54 ` [pve-devel] [PATCH cluster v6 1/1] add mapping/dir.cfg for resource mapping Markus Frank
2023-07-06 10:54 ` [pve-devel] [PATCH guest-common v6 1/1] add DIR mapping config Markus Frank
2023-07-19 12:09   ` Fabian Grünbichler
2023-07-06 10:54 ` [pve-devel] [PATCH docs v6 1/1] added shared filesystem doc for virtio-fs Markus Frank
2023-07-17  8:08   ` Christoph Heiss
2023-07-06 10:54 ` [pve-devel] [PATCH qemu-server v6 1/3] feature #1027: virtio-fs support Markus Frank
2023-07-19 12:08   ` Fabian Grünbichler
2023-07-06 10:54 ` Markus Frank [this message]
2023-07-06 10:54 ` [pve-devel] [PATCH qemu-server v6 3/3] check_local_resources: virtiofs Markus Frank
2023-07-06 10:54 ` [pve-devel] [PATCH manager v6 1/5] api: add resource map api endpoints for directories Markus Frank
2023-07-06 10:54 ` [pve-devel] [PATCH manager v6 2/5] ui: add edit window for dir mappings Markus Frank
2023-07-06 10:54 ` [pve-devel] [PATCH manager v6 3/5] ui: ResourceMapTree for DIR Markus Frank
2023-07-06 10:54 ` [pve-devel] [PATCH manager v6 4/5] ui: form: add DIRMapSelector Markus Frank
2023-07-06 10:54 ` [pve-devel] [PATCH manager v6 5/5] ui: added options to add virtio-fs to qemu config Markus Frank
2023-07-17  7:51 ` [pve-devel] [PATCH cluster/guest-common/qemu-server/manager v6 0/11] virtiofs Christoph Heiss
2023-07-18 12:56 ` Friedrich Weber
2023-07-19 12:08 ` Fabian Grünbichler
2023-07-20  7:12 ` Fabian Grünbichler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230706105421.54949-6-m.frank@proxmox.com \
    --to=m.frank@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal