From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 18A759EE5 for ; Wed, 27 Apr 2022 13:36:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0E39525A37 for ; Wed, 27 Apr 2022 13:36:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 9A1D525A2E for ; Wed, 27 Apr 2022 13:36:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 7177E42DFD; Wed, 27 Apr 2022 13:36:07 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Wed, 27 Apr 2022 13:36:00 +0200 Message-Id: <20220427113600.166803-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.170 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH manager] api2: network: anybridge: re-add regular bridges X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2022 11:36:11 -0000 commit 052fbb2a4d1bdeb490b2e3b67cd7555e460ebe93 introduced permission checks here that caused all regular bridges to be removed from the returned list as soon as the SDN package is installed, unless the user is root@pam or there exists a VNET with the same ID. this is arguably a breaking change, so limit the priv check to actually defined VNETs for the time being, and add ALL regular bridges uncondtionally like before. get_local_vnets already filters by the same prvs, so we need to get the full config to find out which IDs are VNETs and which are not. once/iff we introduce ACL paths for *all* bridges in the future, we can limit accordingly here. CC: Alexandre Derumier Signed-off-by: Fabian Grünbichler --- PVE/API2/Network.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm index 214ab50a..a43579fa 100644 --- a/PVE/API2/Network.pm +++ b/PVE/API2/Network.pm @@ -240,13 +240,16 @@ __PACKAGE__->register_method({ if (my $tfilter = $param->{type}) { my $vnets; + my $vnet_cfg; my $can_access_vnet = sub { # only matters for the $have_sdn case, checked implict return 1 if $authuser eq 'root@pam' || !defined($vnets); + return 1 if !defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $_[0], 1)); # not a vnet $rpcenv->check_any($authuser, "/sdn/vnets/$_[0]", ['SDN.Audit', 'SDN.Allocate'], 1) }; if ($have_sdn && $param->{type} eq 'any_bridge') { $vnets = PVE::Network::SDN::get_local_vnets(); # returns already access-filtered + $vnet_cfg = PVE::Network::SDN::Vnets::config(); } for my $k (sort keys $ifaces->%*) { -- 2.30.2