From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 7DEF16B722 for ; Wed, 4 Aug 2021 10:47:31 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7BD1B1C9D4 for ; Wed, 4 Aug 2021 10:47:31 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id DA4B11C9C6 for ; Wed, 4 Aug 2021 10:47:30 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B14F342D9F for ; Wed, 4 Aug 2021 10:47:30 +0200 (CEST) To: pve-devel@lists.proxmox.com, Dominik Csapak References: <20210803122954.2641138-1-d.csapak@proxmox.com> <20210803122954.2641138-2-d.csapak@proxmox.com> From: Fabian Ebner Message-ID: <6f09c275-97bd-45ba-3f8b-aae557aa787a@proxmox.com> Date: Wed, 4 Aug 2021 10:47:29 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <20210803122954.2641138-2-d.csapak@proxmox.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.504 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.132 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [config.pm, lxc.pm] Subject: Re: [pve-devel] [PATCH container 1/2] add old config and unprivileged to check_ct_modify_config_perm X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2021 08:47:31 -0000 Am 03.08.21 um 14:29 schrieb Dominik Csapak: > we'll need that for checking the features more granularly > > Signed-off-by: Dominik Csapak > --- > src/PVE/API2/LXC.pm | 6 ++++-- > src/PVE/API2/LXC/Config.pm | 9 ++++++--- > src/PVE/LXC.pm | 2 +- > 3 files changed, 11 insertions(+), 6 deletions(-) > > diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm > index b929481..e16ce6c 100644 > --- a/src/PVE/API2/LXC.pm > +++ b/src/PVE/API2/LXC.pm > @@ -254,7 +254,7 @@ __PACKAGE__->register_method({ > my $ostemplate = extract_param($param, 'ostemplate'); > my $storage = extract_param($param, 'storage') // 'local'; > > - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, $param, []); > + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, undef, $param, [], $unprivileged); > > my $storage_cfg = cfs_read_file("storage.cfg"); > > @@ -1679,7 +1679,9 @@ __PACKAGE__->register_method({ > > die "no options specified\n" if !scalar(keys %$param); > > - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []); > + my $conf = PVE::LXC::Config->load_config($vmid); > + > + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $conf->{unprivileged}); > > my $storage_cfg = cfs_read_file("storage.cfg"); > > diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm > index 73fec36..ab136c0 100644 > --- a/src/PVE/API2/LXC/Config.pm > +++ b/src/PVE/API2/LXC/Config.pm > @@ -135,6 +135,9 @@ __PACKAGE__->register_method({ > my $node = extract_param($param, 'node'); > my $vmid = extract_param($param, 'vmid'); > > + my $conf = PVE::LXC::Config->load_config($vmid); > + my $unprivileged = $conf->{unprivileged}; > + > my $digest = extract_param($param, 'digest'); > > die "no options specified\n" if !scalar(keys %$param); > @@ -144,8 +147,8 @@ __PACKAGE__->register_method({ > my $revert_str = extract_param($param, 'revert'); > my @revert = PVE::Tools::split_list($revert_str); > > - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@delete]); > - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@revert]); > + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@delete], $unprivileged); > + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@revert], $unprivileged); > > foreach my $opt (@revert) { > raise_param_exc({ revert => "unknown option '$opt'" }) > @@ -166,7 +169,7 @@ __PACKAGE__->register_method({ > if grep(/^$opt$/, @revert); > } > > - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []); > + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $unprivileged); When restoring, $param can be {} here. This means together with the other patches, it's possible as non-root to: 1. Enable nesting on an unprivileged container 2. Backup 3. Restore as privileged, and nesting is still set > > my $storage_cfg = PVE::Storage::config(); > > diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm > index 139f901..32a2127 100644 > --- a/src/PVE/LXC.pm > +++ b/src/PVE/LXC.pm > @@ -1242,7 +1242,7 @@ sub template_create { > } > > sub check_ct_modify_config_perm { > - my ($rpcenv, $authuser, $vmid, $pool, $newconf, $delete) = @_; > + my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $unprivileged) = @_; > > return 1 if $authuser eq 'root@pam'; > my $storage_cfg = PVE::Storage::config(); >