From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4E4638C4E for ; Wed, 16 Nov 2022 16:48:51 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D48B121EB8 for ; Wed, 16 Nov 2022 16:48:20 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 16 Nov 2022 16:48:18 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A425443F0C for ; Wed, 16 Nov 2022 16:48:17 +0100 (CET) From: Dominik Csapak To: pve-devel@lists.proxmox.com Date: Wed, 16 Nov 2022 16:48:02 +0100 Message-Id: <20221116154815.358385-9-d.csapak@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221116154815.358385-1-d.csapak@proxmox.com> References: <20221116154815.358385-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL 0.065 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF =?UTF-8?Q?record=0A=09?=URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [lxc.pm] Subject: [pve-devel] [PATCH container v11 1/1] check_ct_modify_config_perm: check for tags permissions with 'assert_tag_permissions' X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2022 15:48:51 -0000 from GuestHelpers. This function checks all necessary permissions and raises an exception if the user does not have the correct ones. This is necessary for the new 'privileged' tags and 'user-tag-access' permissions to work. Signed-off-by: Dominik Csapak --- src/PVE/LXC.pm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index 4bbd739..3cedc9a 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -1336,6 +1336,10 @@ sub check_ct_modify_config_perm { } elsif ($opt eq 'hookscript') { # For now this is restricted to root@pam raise_perm_exc("changing the hookscript is only allowed for root\@pam"); + } elsif ($opt eq 'tags') { + my $old = $oldconf->{$opt}; + my $new = $delete ? '' : $newconf->{$opt}; + PVE::GuestHelpers::assert_tag_permissions($vmid, $old, $new, $rpcenv, $authuser); } else { $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']); } -- 2.30.2