From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Fiona Ebner <f.ebner@proxmox.com>
Subject: [pve-devel] applied-series: [PATCH-SERIES access-control/qemu-server/manager/docs] replace ambiguously named VM.Monitor privilege
Date: Thu, 17 Jul 2025 23:26:29 +0200 [thread overview]
Message-ID: <c47cc125-a8d1-4458-9f28-c9bd99742c8e@proxmox.com> (raw)
In-Reply-To: <20250717133711.84715-1-f.ebner@proxmox.com>
Am 17.07.25 um 15:36 schrieb Fiona Ebner:
> The privilege VM.Monitor has a very ambiguous name and is dropped.
> Most of the API endpoints using it are for the QEMU guest agent
> commands, the only other place is access to the QEMU HMP monitor.
>
> 1. Introduce dedicated, more fine-grained privileges for the guest
> agent commands:
>
> There is a basic VM.GuestAgent.Audit privilege for read-only,
> informational commands.
>
> There are dedicated privileges VM.GuestAgent.File{Read,Write} for the
> file-{read,write} commands. There is a separate
> VM.GuestAgent.FileSystemMgmt privilege for filesystem freeze, thaw and
> trim.
>
> The VM.GuestAgent.Unrestricted privilege is to allow all guest agent
> operations, in particular also execution of arbitrary commands with
> guest-exec.
>
> 2. For access to the QEMU HMP monitor, only the 'info' and 'help'
> commands were usable without an additional Sys.Modify privilege. Since
> the information accessible via 'info' is very low-level and often
> related to the QEMU process on the system, requiring Sys.Audit seems
> natural.
>
> These are breaking changes. A check in pve8to9 is provided.
>
>
> qemu-server patch "api: monitor: improve permission handling" and
> manager patch "pve8to9: remove outdated checks for user roles" can
> be applied independently from the rest of the series.
>
>
> New qemu-server depends on new access-control, new access-control
> breaks old qemu-server.
I did not record the breaks for now, no big reason and we can still
do a re-bump of access-control if you prefer doing so, it *would* be
slightly cleaner.
> access-control:
>
> Fiona Ebner (2):
> add VM.GuestAgent privileges
> privileges: drop VM.Monitor
>
> src/PVE/AccessControl.pm | 7 +++++--
> src/test/perm-test1.pl | 8 ++++++--
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
>
> qemu-server:
>
> Fiona Ebner (3):
> api: agent: use more specific guest agent privileges
> api: monitor: improve permission handling
> api: monitor: require Sys.Audit or Sys.Modify privilege
>
> src/PVE/API2/Qemu.pm | 34 ++++--
> src/PVE/API2/Qemu/Agent.pm | 66 +++++++++--
> src/PVE/API2/Qemu/HMPPerms.pm | 207 ++++++++++++++++++++++++++++++++++
> src/PVE/API2/Qemu/Makefile | 2 +-
> 4 files changed, 289 insertions(+), 20 deletions(-)
> create mode 100644 src/PVE/API2/Qemu/HMPPerms.pm
>
>
> manager:
>
> Fiona Ebner (2):
> pve8to9: remove outdated checks for user roles
> pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles
>
> PVE/CLI/pve8to9.pm | 40 ++++++++++++++++------------------------
> 1 file changed, 16 insertions(+), 24 deletions(-)
>
>
> docs:
>
> Fiona Ebner (2):
> user management: privileges: document new VM guest agent privileges
> user management: privileges: remove reference to dropped VM.Monitor
> privilege
>
> pveum.adoc | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>
> Summary over all repositories:
> 8 files changed, 322 insertions(+), 49 deletions(-)
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2025-07-17 21:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-17 13:36 [pve-devel] " Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH access-control 1/9] add VM.GuestAgent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH access-control 2/9] privileges: drop VM.Monitor Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 3/9] api: agent: use more specific guest agent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 4/9] api: monitor: improve permission handling Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 5/9] api: monitor: require Sys.Audit or Sys.Modify privilege Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH manager 6/9] pve8to9: remove outdated checks for user roles Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH manager 7/9] pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH docs 8/9] user management: privileges: document new VM guest agent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH docs 9/9] user management: privileges: remove reference to dropped VM.Monitor privilege Fiona Ebner
2025-07-17 21:26 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c47cc125-a8d1-4458-9f28-c9bd99742c8e@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox