[pve-devel] [PATCH qemu-server 2/6] partially fix #6805: api: modify vm config: privilege checks for VM-state-related properties

From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH qemu-server 2/6] partially fix #6805: api: modify vm config: privilege checks for VM-state-related properties
Date: Wed, 17 Sep 2025 18:30:26 +0200	[thread overview]
Message-ID: <20250917163038.488710-3-f.ebner@proxmox.com> (raw)
In-Reply-To: <20250917163038.488710-1-f.ebner@proxmox.com>

Currently, the VM-state-related properties 'runningcpu',
'runningmachine' and 'running-nets-host-mtu' are not supposed to end
up in the VM configuration of a remote-migratable VM, because a
suspended VM is not yet migratable. However, there was a bug and the
properties were not removed after cloning from a snapshot, see commit
"partially fix #6805: api: clone: properly remove all snapshot-related
info". Upon remote migration, the property would be encountered and
would be limited to root@pam only. Also, migrating suspended VMs might
be implemented in the future, i.e. BZ issue #2252.

To aid fixing bug #6805 and preparing for issue #2252 in the future,
do proper privilege checking for configuration properties related to
the running VM state.

Note that the 'vmstate' property is already checked for in the
check_vm_modify_config_perm() helper. Note that VM-state-related
properties cannot be set via API by a user.

Originally-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/API2/Qemu.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
index 8097ea87..594c5d48 100644
--- a/src/PVE/API2/Qemu.pm
+++ b/src/PVE/API2/Qemu.pm
@@ -732,6 +732,7 @@ my $check_cpu_model_access = sub {
 my $cpuoptions = {
     'cores' => 1,
     'cpu' => 1,
+    'runningcpu' => 1,
     'cpulimit' => 1,
     'cpuunits' => 1,
     'numa' => 1,
@@ -751,6 +752,7 @@ my $hwtypeoptions = {
     'hotplug' => 1,
     'kvm' => 1,
     'machine' => 1,
+    'runningmachine' => 1,
     'scsihw' => 1,
     'smbios1' => 1,
     'tablet' => 1,
@@ -957,7 +959,7 @@ my $check_vm_modify_config_perm = sub {
             $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
         } elsif ($diskoptions->{$opt}) {
             $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
-        } elsif ($opt =~ m/^net\d+$/) {
+        } elsif ($opt =~ m/^net\d+$/ || $opt eq 'running-nets-host-mtu') {
             $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
         } elsif ($cloudinitoptions->{$opt} || $opt =~ m/^ipconfig\d+$/) {
             $rpcenv->check_vm_perm(
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

