[pve-devel] [PATCH container 1/2] add old config and unprivileged to check_ct_modify_config_perm
Fabian Ebner
f.ebner at proxmox.com
Wed Aug 4 10:47:29 CEST 2021
Am 03.08.21 um 14:29 schrieb Dominik Csapak:
> we'll need that for checking the features more granularly
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> src/PVE/API2/LXC.pm | 6 ++++--
> src/PVE/API2/LXC/Config.pm | 9 ++++++---
> src/PVE/LXC.pm | 2 +-
> 3 files changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
> index b929481..e16ce6c 100644
> --- a/src/PVE/API2/LXC.pm
> +++ b/src/PVE/API2/LXC.pm
> @@ -254,7 +254,7 @@ __PACKAGE__->register_method({
> my $ostemplate = extract_param($param, 'ostemplate');
> my $storage = extract_param($param, 'storage') // 'local';
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, $param, []);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, undef, $param, [], $unprivileged);
>
> my $storage_cfg = cfs_read_file("storage.cfg");
>
> @@ -1679,7 +1679,9 @@ __PACKAGE__->register_method({
>
> die "no options specified\n" if !scalar(keys %$param);
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);
> + my $conf = PVE::LXC::Config->load_config($vmid);
> +
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $conf->{unprivileged});
>
> my $storage_cfg = cfs_read_file("storage.cfg");
>
> diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
> index 73fec36..ab136c0 100644
> --- a/src/PVE/API2/LXC/Config.pm
> +++ b/src/PVE/API2/LXC/Config.pm
> @@ -135,6 +135,9 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $conf = PVE::LXC::Config->load_config($vmid);
> + my $unprivileged = $conf->{unprivileged};
> +
> my $digest = extract_param($param, 'digest');
>
> die "no options specified\n" if !scalar(keys %$param);
> @@ -144,8 +147,8 @@ __PACKAGE__->register_method({
> my $revert_str = extract_param($param, 'revert');
> my @revert = PVE::Tools::split_list($revert_str);
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@delete]);
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@revert]);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@delete], $unprivileged);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@revert], $unprivileged);
>
> foreach my $opt (@revert) {
> raise_param_exc({ revert => "unknown option '$opt'" })
> @@ -166,7 +169,7 @@ __PACKAGE__->register_method({
> if grep(/^$opt$/, @revert);
> }
>
> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);
> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $unprivileged);
When restoring, $param can be {} here.
This means together with the other patches, it's possible as non-root to:
1. Enable nesting on an unprivileged container
2. Backup
3. Restore as privileged, and nesting is still set
>
> my $storage_cfg = PVE::Storage::config();
>
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 139f901..32a2127 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1242,7 +1242,7 @@ sub template_create {
> }
>
> sub check_ct_modify_config_perm {
> - my ($rpcenv, $authuser, $vmid, $pool, $newconf, $delete) = @_;
> + my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $unprivileged) = @_;
>
> return 1 if $authuser eq 'root at pam';
> my $storage_cfg = PVE::Storage::config();
>
More information about the pve-devel
mailing list