* [pve-devel] [PATCH container] config permission check: also check access for currently configured bridge
@ 2023-07-17 7:15 Fiona Ebner
2023-07-17 7:15 ` [pve-devel] [PATCH qemu-server] api: update: " Fiona Ebner
2023-07-19 10:23 ` [pve-devel] applied: [PATCH container] config permission check: " Fabian Grünbichler
0 siblings, 2 replies; 4+ messages in thread
From: Fiona Ebner @ 2023-07-17 7:15 UTC (permalink / raw)
To: pve-devel
Relevant when modifying or removing an existing network device.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/LXC.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index a531ea5..1e9af0f 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1316,7 +1316,8 @@ sub check_ct_modify_config_perm {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
} elsif ($opt =~ m/^net\d+$/) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
- PVE::LXC::check_bridge_access($rpcenv, $authuser, $newconf->{$opt});
+ check_bridge_access($rpcenv, $authuser, $oldconf->{$opt}) if $oldconf->{$opt};
+ check_bridge_access($rpcenv, $authuser, $newconf->{$opt}) if $newconf->{$opt};
} elsif ($opt eq 'nameserver' || $opt eq 'searchdomain' || $opt eq 'hostname') {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
} elsif ($opt eq 'features') {
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH qemu-server] api: update: also check access for currently configured bridge
2023-07-17 7:15 [pve-devel] [PATCH container] config permission check: also check access for currently configured bridge Fiona Ebner
@ 2023-07-17 7:15 ` Fiona Ebner
2023-07-19 10:22 ` [pve-devel] applied: " Fabian Grünbichler
2023-07-19 10:23 ` [pve-devel] applied: [PATCH container] config permission check: " Fabian Grünbichler
1 sibling, 1 reply; 4+ messages in thread
From: Fiona Ebner @ 2023-07-17 7:15 UTC (permalink / raw)
To: pve-devel
Relevant when modifying or removing an existing network device.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
PVE/API2/Qemu.pm | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 59307133..fd718f93 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1792,6 +1792,13 @@ my $update_vm_api = sub {
assert_tag_permissions($vmid, $val, '', $rpcenv, $authuser);
delete $conf->{$opt};
PVE::QemuConfig->write_config($vmid, $conf);
+ } elsif ($opt =~ m/^net\d+$/) {
+ if ($conf->{$opt}) {
+ PVE::QemuServer::check_bridge_access(
+ $rpcenv, $authuser, { $opt => $conf->{$opt} });
+ }
+ PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
+ PVE::QemuConfig->write_config($vmid, $conf);
} else {
PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
PVE::QemuConfig->write_config($vmid, $conf);
@@ -1860,6 +1867,12 @@ my $update_vm_api = sub {
} elsif ($opt eq 'tags') {
assert_tag_permissions($vmid, $conf->{$opt}, $param->{$opt}, $rpcenv, $authuser);
$conf->{pending}->{$opt} = PVE::GuestHelpers::get_unique_tags($param->{$opt});
+ } elsif ($opt =~ m/^net\d+$/) {
+ if ($conf->{$opt}) {
+ PVE::QemuServer::check_bridge_access(
+ $rpcenv, $authuser, { $opt => $conf->{$opt} });
+ }
+ $conf->{pending}->{$opt} = $param->{$opt};
} else {
$conf->{pending}->{$opt} = $param->{$opt};
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] applied: [PATCH qemu-server] api: update: also check access for currently configured bridge
2023-07-17 7:15 ` [pve-devel] [PATCH qemu-server] api: update: " Fiona Ebner
@ 2023-07-19 10:22 ` Fabian Grünbichler
0 siblings, 0 replies; 4+ messages in thread
From: Fabian Grünbichler @ 2023-07-19 10:22 UTC (permalink / raw)
To: Proxmox VE development discussion
On July 17, 2023 9:15 am, Fiona Ebner wrote:
> Relevant when modifying or removing an existing network device.
>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
> PVE/API2/Qemu.pm | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 59307133..fd718f93 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -1792,6 +1792,13 @@ my $update_vm_api = sub {
> assert_tag_permissions($vmid, $val, '', $rpcenv, $authuser);
> delete $conf->{$opt};
> PVE::QemuConfig->write_config($vmid, $conf);
> + } elsif ($opt =~ m/^net\d+$/) {
> + if ($conf->{$opt}) {
> + PVE::QemuServer::check_bridge_access(
> + $rpcenv, $authuser, { $opt => $conf->{$opt} });
> + }
> + PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
> + PVE::QemuConfig->write_config($vmid, $conf);
> } else {
> PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
> PVE::QemuConfig->write_config($vmid, $conf);
> @@ -1860,6 +1867,12 @@ my $update_vm_api = sub {
> } elsif ($opt eq 'tags') {
> assert_tag_permissions($vmid, $conf->{$opt}, $param->{$opt}, $rpcenv, $authuser);
> $conf->{pending}->{$opt} = PVE::GuestHelpers::get_unique_tags($param->{$opt});
> + } elsif ($opt =~ m/^net\d+$/) {
> + if ($conf->{$opt}) {
> + PVE::QemuServer::check_bridge_access(
> + $rpcenv, $authuser, { $opt => $conf->{$opt} });
> + }
> + $conf->{pending}->{$opt} = $param->{$opt};
> } else {
> $conf->{pending}->{$opt} = $param->{$opt};
>
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] applied: [PATCH container] config permission check: also check access for currently configured bridge
2023-07-17 7:15 [pve-devel] [PATCH container] config permission check: also check access for currently configured bridge Fiona Ebner
2023-07-17 7:15 ` [pve-devel] [PATCH qemu-server] api: update: " Fiona Ebner
@ 2023-07-19 10:23 ` Fabian Grünbichler
1 sibling, 0 replies; 4+ messages in thread
From: Fabian Grünbichler @ 2023-07-19 10:23 UTC (permalink / raw)
To: Proxmox VE development discussion
On July 17, 2023 9:15 am, Fiona Ebner wrote:
> Relevant when modifying or removing an existing network device.
>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
> src/PVE/LXC.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index a531ea5..1e9af0f 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1316,7 +1316,8 @@ sub check_ct_modify_config_perm {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
> } elsif ($opt =~ m/^net\d+$/) {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
> - PVE::LXC::check_bridge_access($rpcenv, $authuser, $newconf->{$opt});
> + check_bridge_access($rpcenv, $authuser, $oldconf->{$opt}) if $oldconf->{$opt};
> + check_bridge_access($rpcenv, $authuser, $newconf->{$opt}) if $newconf->{$opt};
> } elsif ($opt eq 'nameserver' || $opt eq 'searchdomain' || $opt eq 'hostname') {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
> } elsif ($opt eq 'features') {
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-07-19 10:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-17 7:15 [pve-devel] [PATCH container] config permission check: also check access for currently configured bridge Fiona Ebner
2023-07-17 7:15 ` [pve-devel] [PATCH qemu-server] api: update: " Fiona Ebner
2023-07-19 10:22 ` [pve-devel] applied: " Fabian Grünbichler
2023-07-19 10:23 ` [pve-devel] applied: [PATCH container] config permission check: " Fabian Grünbichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal