[pve-devel] [PATCH qemu-server] fix #1811: allow VM.Config.HWType to add serial socket
Dominik Csapak
d.csapak at proxmox.com
Fri Nov 30 11:15:04 CET 2018
On 11/30/18 11:07 AM, David Limbeck wrote:
> allow serial sockets to be added if VM.Config.HWType permission is
> satisfied but deny serial devices for anyone other than root
> (raise_perm_exc). this allows PVEVMAdmins to add serial consoles.
>
> Signed-off-by: David Limbeck <d.limbeck at proxmox.com>
> ---
> PVE/API2/Qemu.pm | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index c82e2fa..8ae4da2 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -310,6 +310,7 @@ my $check_vm_modify_config_perm = sub {
> next if PVE::QemuServer::is_valid_drivename($opt);
> next if $opt eq 'cdrom';
> next if $opt =~ m/^unused\d+$/;
> + next if $opt =~ m/^serial[0-3]$/;
>
> if ($cpuoptions->{$opt} || $opt =~ m/^numa\d+$/) {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.CPU']);
> @@ -1108,6 +1109,16 @@ my $update_vm_api = sub {
>
> &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [keys %$param]);
>
> + foreach my $opt (keys %$param) {
> + if ($opt =~ m/serial[0-3]/) {
> + if ($param->{$opt} eq 'socket') {
> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
> + } else {
> + raise_perm_exc('user root at pam required for serial devices') if ($authuser ne 'root at pam');
> + }
> + }
> + }
> +
> &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);
>
> my $updatefn = sub {
>
it seems the check gets not executed when creating a vm
i think it would make more sense to expand check_vm_modify_config_perm
to also give the values of the params and do the check inside
More information about the pve-devel
mailing list