From: Fabian Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com, Dominik Csapak <d.csapak@proxmox.com>
Subject: Re: [pve-devel] [PATCH container 1/2] add old config and unprivileged to check_ct_modify_config_perm
Date: Wed, 4 Aug 2021 10:47:29 +0200 [thread overview]
Message-ID: <6f09c275-97bd-45ba-3f8b-aae557aa787a@proxmox.com> (raw)
In-Reply-To: <20210803122954.2641138-2-d.csapak@proxmox.com>
Am 03.08.21 um 14:29 schrieb Dominik Csapak:
> we'll need that for checking the features more granularly
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> src/PVE/API2/LXC.pm | 6 ++++--
> src/PVE/API2/LXC/Config.pm | 9 ++++++---
> src/PVE/LXC.pm | 2 +-
> 3 files changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
> index b929481..e16ce6c 100644
> --- a/src/PVE/API2/LXC.pm
> +++ b/src/PVE/API2/LXC.pm
> @@ -254,7 +254,7 @@ __PACKAGE__->register_method({
> my $ostemplate = extract_param($param, 'ostemplate');
> my $storage = extract_param($param, 'storage') // 'local';
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, $param, []);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, undef, $param, [], $unprivileged);
>
> my $storage_cfg = cfs_read_file("storage.cfg");
>
> @@ -1679,7 +1679,9 @@ __PACKAGE__->register_method({
>
> die "no options specified\n" if !scalar(keys %$param);
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);
> + my $conf = PVE::LXC::Config->load_config($vmid);
> +
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $conf->{unprivileged});
>
> my $storage_cfg = cfs_read_file("storage.cfg");
>
> diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
> index 73fec36..ab136c0 100644
> --- a/src/PVE/API2/LXC/Config.pm
> +++ b/src/PVE/API2/LXC/Config.pm
> @@ -135,6 +135,9 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $conf = PVE::LXC::Config->load_config($vmid);
> + my $unprivileged = $conf->{unprivileged};
> +
> my $digest = extract_param($param, 'digest');
>
> die "no options specified\n" if !scalar(keys %$param);
> @@ -144,8 +147,8 @@ __PACKAGE__->register_method({
> my $revert_str = extract_param($param, 'revert');
> my @revert = PVE::Tools::split_list($revert_str);
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@delete]);
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@revert]);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@delete], $unprivileged);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@revert], $unprivileged);
>
> foreach my $opt (@revert) {
> raise_param_exc({ revert => "unknown option '$opt'" })
> @@ -166,7 +169,7 @@ __PACKAGE__->register_method({
> if grep(/^$opt$/, @revert);
> }
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $unprivileged);
When restoring, $param can be {} here.
This means together with the other patches, it's possible as non-root to:
1. Enable nesting on an unprivileged container
2. Backup
3. Restore as privileged, and nesting is still set
>
> my $storage_cfg = PVE::Storage::config();
>
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 139f901..32a2127 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1242,7 +1242,7 @@ sub template_create {
> }
>
> sub check_ct_modify_config_perm {
> - my ($rpcenv, $authuser, $vmid, $pool, $newconf, $delete) = @_;
> + my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $unprivileged) = @_;
>
> return 1 if $authuser eq 'root@pam';
> my $storage_cfg = PVE::Storage::config();
>
next prev parent reply other threads:[~2021-08-04 8:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 12:29 [pve-devel] [PATCH container/manager] default nesting for unpriv containers in ui Dominik Csapak
2021-08-03 12:29 ` [pve-devel] [PATCH container 1/2] add old config and unprivileged to check_ct_modify_config_perm Dominik Csapak
2021-08-04 8:45 ` Wolfgang Bumiller
2021-08-04 8:47 ` Fabian Ebner [this message]
2021-08-04 8:49 ` Fabian Ebner
2021-08-03 12:29 ` [pve-devel] [PATCH container 2/2] allow nesting to be changed for VM.Allocate on unprivileged containers Dominik Csapak
2021-08-04 8:53 ` Wolfgang Bumiller
2021-08-04 8:57 ` Fabian Ebner
2021-08-03 12:29 ` [pve-devel] [PATCH manager 1/2] ui: lxc/Options: allow opening features window for VM.Allocate Dominik Csapak
2021-08-03 12:29 ` [pve-devel] [PATCH manager 2/2] ui: lxc/CreateWizard: add a 'nesting' checkbox and enable it by default Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6f09c275-97bd-45ba-3f8b-aae557aa787a@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox