[pve-devel] [PATCH qemu-server] restore: remove param from restored config if no access

[pve-devel] [PATCH qemu-server] restore: remove param from restored config if no access

[Alexandre Derumier]

Currently check bridge access, but it could be extended
for pci/usb devices access when it'll be implemented

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 PVE/QemuServer.pm | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 7f7b10b..786764e 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -6520,6 +6520,26 @@ sub check_bridge_access {
     return 1;
 };
 
+#remove params from restore config where we don't have permissions
+sub check_restore_config_access {
+    my ($rpcenv, $authuser, $conf) = @_;
+
+    return 1 if $authuser eq 'root@pam';
+
+    for my $opt (sort keys $conf->%*) {
+	next if $opt !~ m/^net\d+$/;
+	eval {
+	    check_bridge_access($rpcenv, $authuser, {$opt => $conf->{$opt}});
+	};
+	if ($@) {
+	    warn "$opt: $@\n";
+	    warn "$opt: no bridge access. removing $opt from restored config\n";
+	    delete $conf->{$opt};
+	}
+    }
+    return 1;
+};
+
 # vzdump restore implementaion
 
 sub tar_archive_read_firstfile {
@@ -7164,7 +7184,7 @@ sub restore_proxmox_backup_archive {
     }
 
     my $new_conf = $restore_merge_config->($conffile, $new_conf_raw, $options->{override_conf});
-    check_bridge_access($rpcenv, $user, $new_conf);
+    check_restore_config_access($rpcenv, $user, $new_conf);
     PVE::QemuConfig->write_config($vmid, $new_conf);
 
     eval { rescan($vmid, 1); };
@@ -7478,7 +7498,7 @@ sub restore_vma_archive {
     }
 
     my $new_conf = $restore_merge_config->($conffile, $new_conf_raw, $opts->{override_conf});
-    check_bridge_access($rpcenv, $user, $new_conf);
+    check_restore_config_access($rpcenv, $user, $new_conf);
     PVE::QemuConfig->write_config($vmid, $new_conf);
 
     eval { rescan($vmid, 1); };
-- 
2.30.2