From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 7C2E99EFEF
 for <pve-devel@lists.proxmox.com>; Wed,  7 Jun 2023 16:52:50 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 532B21B79F
 for <pve-devel@lists.proxmox.com>; Wed,  7 Jun 2023 16:52:20 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Wed,  7 Jun 2023 16:52:19 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0D18241F43
 for <pve-devel@lists.proxmox.com>; Wed,  7 Jun 2023 16:52:19 +0200 (CEST)
Date: Wed, 07 Jun 2023 16:52:10 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20230607120357.4177891-1-aderumier@odiso.com>
 <20230607120357.4177891-3-aderumier@odiso.com>
In-Reply-To: <20230607120357.4177891-3-aderumier@odiso.com>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1686149351.zu4entfs6q.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.072 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: Re: [pve-devel] [PATCH v4 qemu-server 1/1] api2: add
 check_bridge_access for create/update/clone/restore vm
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 14:52:50 -0000

Reviewed-by: Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>

but this might require a follow-up, see below.

On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
>  PVE/API2/Qemu.pm | 33 +++++++++++++++++++++++++++++----
>  1 file changed, 29 insertions(+), 4 deletions(-)
>=20
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 587bb22..9e3a359 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -23,7 +23,7 @@ use PVE::Storage;
>  use PVE::JSONSchema qw(get_standard_option);
>  use PVE::RESTHandler;
>  use PVE::ReplicationConfig;
> -use PVE::GuestHelpers qw(assert_tag_permissions);
> +use PVE::GuestHelpers qw(assert_tag_permissions check_vnet_access);
>  use PVE::QemuConfig;
>  use PVE::QemuServer;
>  use PVE::QemuServer::Cloudinit;
> @@ -601,6 +601,22 @@ my $check_vm_create_usb_perm =3D sub {
>      return 1;
>  };
> =20
> +my $check_bridge_access =3D sub {
> +    my ($rpcenv, $authuser, $param) =3D @_;
> +
> +    return 1 if $authuser eq 'root@pam';
> +
> +    foreach my $opt (keys %{$param}) {
> +	next if $opt !~ m/^net\d+$/;
> +	my $net =3D PVE::QemuServer::parse_net($param->{$opt});
> +	my $bridge =3D $net->{bridge};
> +	my $tag =3D $net->{tag};
> +	my $trunks =3D $net->{trunks};
> +	check_vnet_access($rpcenv, $authuser, $bridge, $tag, $trunks);
> +    }
> +    return 1;
> +};
> +
>  my $check_vm_modify_config_perm =3D sub {
>      my ($rpcenv, $authuser, $vmid, $pool, $key_list) =3D @_;
> =20
> @@ -728,7 +744,8 @@ __PACKAGE__->register_method({
>      permissions =3D> {
>  	description =3D> "You need 'VM.Allocate' permissions on /vms/{vmid} or =
on the VM pool /pool/{pool}. " .
>  	    "For restore (option 'archive'), it is enough if the user has 'VM.B=
ackup' permission and the VM already exists. " .
> -	    "If you create disks you need 'Datastore.AllocateSpace' on any used=
 storage.",
> +	    "If you create disks you need 'Datastore.AllocateSpace' on any used=
 storage." .
> +	    "If you use a bridge/vlan, you need 'SDN.Use' on any used bridge/vl=
an.",
>          user =3D> 'all', # check inside
>      },
>      protected =3D> 1,
> @@ -865,6 +882,10 @@ __PACKAGE__->register_method({
>  		    'backup',
>  		);
> =20
> +		my $vzdump_conf =3D PVE::Storage::extract_vzdump_config($storecfg, $ar=
chive);
> +		my $backup_conf =3D PVE::QemuServer::parse_vm_config("restore/qemu-ser=
ver/$vmid.conf", $vzdump_conf, 1);
> +		&$check_bridge_access($rpcenv, $authuser, $backup_conf);
> +

this part here should maybe be moved somewhere where we already have the
extracted config, if possible?

>  		$archive =3D $parse_restore_archive->($storecfg, $archive);
>  	    }
>  	}
> @@ -878,7 +899,7 @@ __PACKAGE__->register_method({
> =20
>  	    &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $pa=
ram);
>  	    &$check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param=
);
> -
> +	    &$check_bridge_access($rpcenv, $authuser, $param);
>  	    &$check_cpu_model_access($rpcenv, $authuser, $param);
> =20
>  	    $check_drive_param->($param, $storecfg);
> @@ -1578,6 +1599,8 @@ my $update_vm_api  =3D sub {
> =20
>      &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param)=
;
> =20
> +    &$check_bridge_access($rpcenv, $authuser, $param);
> +
>      my $updatefn =3D  sub {
> =20
>  	my $conf =3D PVE::QemuConfig->load_config($vmid);
> @@ -3355,7 +3378,7 @@ __PACKAGE__->register_method({
>      permissions =3D> {
>  	description =3D> "You need 'VM.Clone' permissions on /vms/{vmid}, and '=
VM.Allocate' permissions " .
>  	    "on /vms/{newid} (or on the VM pool /pool/{pool}). You also need " =
.
> -	    "'Datastore.AllocateSpace' on any used storage.",
> +	    "'Datastore.AllocateSpace' on any used storage and 'SDN.Use' on any=
 used bridge/vnet",
>  	check =3D>
>  	[ 'and',
>  	  ['perm', '/vms/{vmid}', [ 'VM.Clone' ]],
> @@ -3489,6 +3512,8 @@ __PACKAGE__->register_method({
> =20
>  	    my $sharedvm =3D &$check_storage_access_clone($rpcenv, $authuser, $=
storecfg, $oldconf, $storage);
> =20
> +	    &$check_bridge_access($rpcenv, $authuser, $oldconf);
> +
>  	    die "can't clone VM to node '$target' (VM uses local storage)\n"
>  		if $target && !$sharedvm;
> =20
> --=20
> 2.30.2
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20