From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 048821FF165
	for <inbox@lore.proxmox.com>; Thu, 17 Jul 2025 15:36:31 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 3723C3AF39;
	Thu, 17 Jul 2025 15:37:19 +0200 (CEST)
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu, 17 Jul 2025 15:36:48 +0200
Message-ID: <20250717133711.84715-1-f.ebner@proxmox.com>
X-Mailer: git-send-email 2.47.2
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.028 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [pve8to9.pm, accesscontrol.pm, agent.pm, qemu.pm, hmpperms.pm,
 perm-test1.pl]
Subject: [pve-devel] [PATCH-SERIES access-control/qemu-server/manager/docs]
 replace ambiguously named VM.Monitor privilege
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

The privilege VM.Monitor has a very ambiguous name and is dropped.
Most of the API endpoints using it are for the QEMU guest agent
commands, the only other place is access to the QEMU HMP monitor.

1. Introduce dedicated, more fine-grained privileges for the guest
agent commands:

There is a basic VM.GuestAgent.Audit privilege for read-only,
informational commands.

There are dedicated privileges VM.GuestAgent.File{Read,Write} for the
file-{read,write} commands. There is a separate
VM.GuestAgent.FileSystemMgmt privilege for filesystem freeze, thaw and
trim.

The VM.GuestAgent.Unrestricted privilege is to allow all guest agent
operations, in particular also execution of arbitrary commands with
guest-exec.

2. For access to the QEMU HMP monitor, only the 'info' and 'help'
commands were usable without an additional Sys.Modify privilege. Since
the information accessible via 'info' is very low-level and often
related to the QEMU process on the system, requiring Sys.Audit seems
natural.

These are breaking changes. A check in pve8to9 is provided.


qemu-server patch "api: monitor: improve permission handling" and
manager patch "pve8to9: remove outdated checks for user roles" can
be applied independently from the rest of the series.


New qemu-server depends on new access-control, new access-control
breaks old qemu-server.


access-control:

Fiona Ebner (2):
  add VM.GuestAgent privileges
  privileges: drop VM.Monitor

 src/PVE/AccessControl.pm | 7 +++++--
 src/test/perm-test1.pl   | 8 ++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)


qemu-server:

Fiona Ebner (3):
  api: agent: use more specific guest agent privileges
  api: monitor: improve permission handling
  api: monitor: require Sys.Audit or Sys.Modify privilege

 src/PVE/API2/Qemu.pm          |  34 ++++--
 src/PVE/API2/Qemu/Agent.pm    |  66 +++++++++--
 src/PVE/API2/Qemu/HMPPerms.pm | 207 ++++++++++++++++++++++++++++++++++
 src/PVE/API2/Qemu/Makefile    |   2 +-
 4 files changed, 289 insertions(+), 20 deletions(-)
 create mode 100644 src/PVE/API2/Qemu/HMPPerms.pm


manager:

Fiona Ebner (2):
  pve8to9: remove outdated checks for user roles
  pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles

 PVE/CLI/pve8to9.pm | 40 ++++++++++++++++------------------------
 1 file changed, 16 insertions(+), 24 deletions(-)


docs:

Fiona Ebner (2):
  user management: privileges: document new VM guest agent privileges
  user management: privileges: remove reference to dropped VM.Monitor
    privilege

 pveum.adoc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)


Summary over all repositories:
  8 files changed, 322 insertions(+), 49 deletions(-)

-- 
Generated by git-murpp 0.5.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel