From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Fiona Ebner <f.ebner@proxmox.com>
Subject: [pve-devel] applied-series: [PATCH-SERIES access-control/qemu-server/manager/docs] replace ambiguously named VM.Monitor privilege
Date: Thu, 17 Jul 2025 23:26:29 +0200 [thread overview]
Message-ID: <c47cc125-a8d1-4458-9f28-c9bd99742c8e@proxmox.com> (raw)
In-Reply-To: <20250717133711.84715-1-f.ebner@proxmox.com>
Am 17.07.25 um 15:36 schrieb Fiona Ebner:
> The privilege VM.Monitor has a very ambiguous name and is dropped.
> Most of the API endpoints using it are for the QEMU guest agent
> commands, the only other place is access to the QEMU HMP monitor.
>
> 1. Introduce dedicated, more fine-grained privileges for the guest
> agent commands:
>
> There is a basic VM.GuestAgent.Audit privilege for read-only,
> informational commands.
>
> There are dedicated privileges VM.GuestAgent.File{Read,Write} for the
> file-{read,write} commands. There is a separate
> VM.GuestAgent.FileSystemMgmt privilege for filesystem freeze, thaw and
> trim.
>
> The VM.GuestAgent.Unrestricted privilege is to allow all guest agent
> operations, in particular also execution of arbitrary commands with
> guest-exec.
>
> 2. For access to the QEMU HMP monitor, only the 'info' and 'help'
> commands were usable without an additional Sys.Modify privilege. Since
> the information accessible via 'info' is very low-level and often
> related to the QEMU process on the system, requiring Sys.Audit seems
> natural.
>
> These are breaking changes. A check in pve8to9 is provided.
>
>
> qemu-server patch "api: monitor: improve permission handling" and
> manager patch "pve8to9: remove outdated checks for user roles" can
> be applied independently from the rest of the series.
>
>
> New qemu-server depends on new access-control, new access-control
> breaks old qemu-server.
I did not record the breaks for now, no big reason and we can still
do a re-bump of access-control if you prefer doing so, it *would* be
slightly cleaner.
> access-control:
>
> Fiona Ebner (2):
> add VM.GuestAgent privileges
> privileges: drop VM.Monitor
>
> src/PVE/AccessControl.pm | 7 +++++--
> src/test/perm-test1.pl | 8 ++++++--
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
>
> qemu-server:
>
> Fiona Ebner (3):
> api: agent: use more specific guest agent privileges
> api: monitor: improve permission handling
> api: monitor: require Sys.Audit or Sys.Modify privilege
>
> src/PVE/API2/Qemu.pm | 34 ++++--
> src/PVE/API2/Qemu/Agent.pm | 66 +++++++++--
> src/PVE/API2/Qemu/HMPPerms.pm | 207 ++++++++++++++++++++++++++++++++++
> src/PVE/API2/Qemu/Makefile | 2 +-
> 4 files changed, 289 insertions(+), 20 deletions(-)
> create mode 100644 src/PVE/API2/Qemu/HMPPerms.pm
>
>
> manager:
>
> Fiona Ebner (2):
> pve8to9: remove outdated checks for user roles
> pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles
>
> PVE/CLI/pve8to9.pm | 40 ++++++++++++++++------------------------
> 1 file changed, 16 insertions(+), 24 deletions(-)
>
>
> docs:
>
> Fiona Ebner (2):
> user management: privileges: document new VM guest agent privileges
> user management: privileges: remove reference to dropped VM.Monitor
> privilege
>
> pveum.adoc | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>
> Summary over all repositories:
> 8 files changed, 322 insertions(+), 49 deletions(-)
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2025-07-17 21:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-17 13:36 [pve-devel] " Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH access-control 1/9] add VM.GuestAgent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH access-control 2/9] privileges: drop VM.Monitor Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 3/9] api: agent: use more specific guest agent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 4/9] api: monitor: improve permission handling Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 5/9] api: monitor: require Sys.Audit or Sys.Modify privilege Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH manager 6/9] pve8to9: remove outdated checks for user roles Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH manager 7/9] pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH docs 8/9] user management: privileges: document new VM guest agent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH docs 9/9] user management: privileges: remove reference to dropped VM.Monitor privilege Fiona Ebner
2025-07-17 21:26 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c47cc125-a8d1-4458-9f28-c9bd99742c8e@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.