[pve-devel] [PATCH qemu-server] restore: remove param from restored config if no access

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: Alexandre Derumier <aderumier@odiso.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH qemu-server] restore: remove param from restored config if no access
Date: Fri,  9 Jun 2023 10:08:55 +0200	[thread overview]
Message-ID: <20230609080855.541473-1-aderumier@odiso.com> (raw)

Currently check bridge access, but it could be extended
for pci/usb devices access when it'll be implemented

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 PVE/QemuServer.pm | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 7f7b10b..786764e 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -6520,6 +6520,26 @@ sub check_bridge_access {
     return 1;
 };
 
+#remove params from restore config where we don't have permissions
+sub check_restore_config_access {
+    my ($rpcenv, $authuser, $conf) = @_;
+
+    return 1 if $authuser eq 'root@pam';
+
+    for my $opt (sort keys $conf->%*) {
+	next if $opt !~ m/^net\d+$/;
+	eval {
+	    check_bridge_access($rpcenv, $authuser, {$opt => $conf->{$opt}});
+	};
+	if ($@) {
+	    warn "$opt: $@\n";
+	    warn "$opt: no bridge access. removing $opt from restored config\n";
+	    delete $conf->{$opt};
+	}
+    }
+    return 1;
+};
+
 # vzdump restore implementaion
 
 sub tar_archive_read_firstfile {
@@ -7164,7 +7184,7 @@ sub restore_proxmox_backup_archive {
     }
 
     my $new_conf = $restore_merge_config->($conffile, $new_conf_raw, $options->{override_conf});
-    check_bridge_access($rpcenv, $user, $new_conf);
+    check_restore_config_access($rpcenv, $user, $new_conf);
     PVE::QemuConfig->write_config($vmid, $new_conf);
 
     eval { rescan($vmid, 1); };
@@ -7478,7 +7498,7 @@ sub restore_vma_archive {
     }
 
     my $new_conf = $restore_merge_config->($conffile, $new_conf_raw, $opts->{override_conf});
-    check_bridge_access($rpcenv, $user, $new_conf);
+    check_restore_config_access($rpcenv, $user, $new_conf);
     PVE::QemuConfig->write_config($vmid, $new_conf);
 
     eval { rescan($vmid, 1); };
-- 
2.30.2

                 reply	other threads:[~2023-06-09  8:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230609080855.541473-1-aderumier@odiso.com \
    --to=aderumier@odiso.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal