[pve-devel] [PATCH container 1/2] add old config and unprivileged to check_ct_modify_config_perm
Fabian Ebner
f.ebner at proxmox.com
Wed Aug 4 10:49:19 CEST 2021
Am 04.08.21 um 10:47 schrieb Fabian Ebner:
> Am 03.08.21 um 14:29 schrieb Dominik Csapak:
>> we'll need that for checking the features more granularly
>>
>> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
>> ---
>> src/PVE/API2/LXC.pm | 6 ++++--
>> src/PVE/API2/LXC/Config.pm | 9 ++++++---
>> src/PVE/LXC.pm | 2 +-
>> 3 files changed, 11 insertions(+), 6 deletions(-)
>>
>> diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
>> index b929481..e16ce6c 100644
>> --- a/src/PVE/API2/LXC.pm
>> +++ b/src/PVE/API2/LXC.pm
>> @@ -254,7 +254,7 @@ __PACKAGE__->register_method({
>> my $ostemplate = extract_param($param, 'ostemplate');
>> my $storage = extract_param($param, 'storage') // 'local';
>> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> $pool, $param, []);
>> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> $pool, undef, $param, [], $unprivileged);
Sorry, I meant here ;)
>> my $storage_cfg = cfs_read_file("storage.cfg");
>> @@ -1679,7 +1679,9 @@ __PACKAGE__->register_method({
>> die "no options specified\n" if !scalar(keys %$param);
>> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, $param, []);
>> + my $conf = PVE::LXC::Config->load_config($vmid);
>> +
>> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, $conf, $param, [], $conf->{unprivileged});
>> my $storage_cfg = cfs_read_file("storage.cfg");
>> diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
>> index 73fec36..ab136c0 100644
>> --- a/src/PVE/API2/LXC/Config.pm
>> +++ b/src/PVE/API2/LXC/Config.pm
>> @@ -135,6 +135,9 @@ __PACKAGE__->register_method({
>> my $node = extract_param($param, 'node');
>> my $vmid = extract_param($param, 'vmid');
>> + my $conf = PVE::LXC::Config->load_config($vmid);
>> + my $unprivileged = $conf->{unprivileged};
>> +
>> my $digest = extract_param($param, 'digest');
>> die "no options specified\n" if !scalar(keys %$param);
>> @@ -144,8 +147,8 @@ __PACKAGE__->register_method({
>> my $revert_str = extract_param($param, 'revert');
>> my @revert = PVE::Tools::split_list($revert_str);
>> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, {}, [@delete]);
>> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, {}, [@revert]);
>> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, $conf, {}, [@delete], $unprivileged);
>> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, $conf, {}, [@revert], $unprivileged);
>> foreach my $opt (@revert) {
>> raise_param_exc({ revert => "unknown option '$opt'" })
>> @@ -166,7 +169,7 @@ __PACKAGE__->register_method({
>> if grep(/^$opt$/, @revert);
>> }
>> - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, $param, []);
>> + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
>> undef, $conf, $param, [], $unprivileged);
>
> When restoring, $param can be {} here.
>
> This means together with the other patches, it's possible as non-root to:
> 1. Enable nesting on an unprivileged container
> 2. Backup
> 3. Restore as privileged, and nesting is still set
>
>> my $storage_cfg = PVE::Storage::config();
>> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
>> index 139f901..32a2127 100644
>> --- a/src/PVE/LXC.pm
>> +++ b/src/PVE/LXC.pm
>> @@ -1242,7 +1242,7 @@ sub template_create {
>> }
>> sub check_ct_modify_config_perm {
>> - my ($rpcenv, $authuser, $vmid, $pool, $newconf, $delete) = @_;
>> + my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf,
>> $delete, $unprivileged) = @_;
>> return 1 if $authuser eq 'root at pam';
>> my $storage_cfg = PVE::Storage::config();
>>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
More information about the pve-devel
mailing list