[pve-devel] [PATCH v2 qemu-server] restrict monitor API to Sys.Modify for most commands

[Fabian Grünbichler]

because these allow adding arbitrary devices to VMs (and
other potentially dangerous things).

whitelist 'info *' and 'help' as usable with just
VM.Monitor, if more are desired and requested they can be
added later.
---
Note: v1 was called 'restrict monitor API call to Sys.Modify'

Changed:
- no longer restrict all commands, but use whitelist instead.

 PVE/API2/Qemu.pm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 7376cd7..29adf83 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -2775,6 +2775,7 @@ __PACKAGE__->register_method({
     proxyto => 'node',
     description => "Execute Qemu monitor commands.",
     permissions => {
+	description => "Sys.Modify is required for (sub)commands which are not read-only ('info *' and 'help')",
 	check => ['perm', '/vms/{vmid}', [ 'VM.Monitor' ]],
     },
     parameters => {
@@ -2792,6 +2793,18 @@ __PACKAGE__->register_method({
     code => sub {
 	my ($param) = @_;
 
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
+
+	my $is_ro = sub {
+	    my $command = shift;
+	    return $command =~ m/^\s*info(\s+|$)/
+	        || $command =~ m/^\s*help\s*$/;
+	};
+
+	$rpcenv->check_full($authuser, "/", ['Sys.Modify'])
+	    if !&$is_ro($param->{command});
+
 	my $vmid = $param->{vmid};
 
 	my $conf = PVE::QemuConfig->load_config ($vmid); # check if VM exists
-- 
2.1.4