[pve-devel] [PATCH qemu-server v7 5/11] Permission check for virtiofs directory access

Wed Aug 9 10:37:33 CEST 2023

Signed-off-by: Markus Frank <m.frank at proxmox.com>
---
 PVE/API2/Qemu.pm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 9606e72..65830f9 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -586,6 +586,19 @@ my $check_vm_create_serial_perm = sub {
     return 1;
 };
 
+my sub check_vm_dir_perm {
+    my ($rpcenv, $authuser, $param) = @_;
+
+    return 1 if $authuser eq 'root at pam';
+
+    foreach my $opt (keys %{$param}) {
+	next if $opt !~ m/^virtiofs\d+$/;
+	my $virtiofs = PVE::JSONSchema::parse_property_string('pve-qm-virtiofs', $param->{$opt});
+	$rpcenv->check_full($authuser, "/mapping/dir/$virtiofs->{dirid}", ['Mapping.Use']);
+    }
+    return 1;
+};
+
 my sub check_usb_perm {
     my ($rpcenv, $authuser, $vmid, $pool, $opt, $value) = @_;
 
@@ -687,6 +700,8 @@ my $check_vm_modify_config_perm = sub {
 	    # the user needs Disk and PowerMgmt privileges to change the vmstate
 	    # also needs privileges on the storage, that will be checked later
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk', 'VM.PowerMgmt' ]);
+	} elsif ($opt =~ m/^virtiofs\d$/) {
+	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
 	} else {
 	    # catches args, lock, etc.
 	    # new options will be checked here
@@ -925,6 +940,7 @@ __PACKAGE__->register_method({
 
 	    &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [ keys %$param]);
 
+	    check_vm_dir_perm($rpcenv, $authuser, $param);
 	    &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $param);
 	    check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param);
 	    check_vm_create_hostpci_perm($rpcenv, $authuser, $vmid, $pool, $param);
@@ -1660,6 +1676,8 @@ my $update_vm_api  = sub {
 
     &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [keys %$param]);
 
+    check_vm_dir_perm($rpcenv, $authuser, $param);
+
     &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);
 
     PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $param);
-- 
2.39.2




