[pve-devel] applied-series: [PATCH-SERIES access-control/qemu-server/manager/docs] replace ambiguously named VM.Monitor privilege

Thu Jul 17 23:26:29 CEST 2025

Am 17.07.25 um 15:36 schrieb Fiona Ebner:
> The privilege VM.Monitor has a very ambiguous name and is dropped.
> Most of the API endpoints using it are for the QEMU guest agent
> commands, the only other place is access to the QEMU HMP monitor.
> 
> 1. Introduce dedicated, more fine-grained privileges for the guest
> agent commands:
> 
> There is a basic VM.GuestAgent.Audit privilege for read-only,
> informational commands.
> 
> There are dedicated privileges VM.GuestAgent.File{Read,Write} for the
> file-{read,write} commands. There is a separate
> VM.GuestAgent.FileSystemMgmt privilege for filesystem freeze, thaw and
> trim.
> 
> The VM.GuestAgent.Unrestricted privilege is to allow all guest agent
> operations, in particular also execution of arbitrary commands with
> guest-exec.
> 
> 2. For access to the QEMU HMP monitor, only the 'info' and 'help'
> commands were usable without an additional Sys.Modify privilege. Since
> the information accessible via 'info' is very low-level and often
> related to the QEMU process on the system, requiring Sys.Audit seems
> natural.
> 
> These are breaking changes. A check in pve8to9 is provided.
> 
> 
> qemu-server patch "api: monitor: improve permission handling" and
> manager patch "pve8to9: remove outdated checks for user roles" can
> be applied independently from the rest of the series.
> 
> 
> New qemu-server depends on new access-control, new access-control
> breaks old qemu-server.

I did not record the breaks for now, no big reason and we can still
do a re-bump of access-control if you prefer doing so, it *would* be
slightly cleaner. 
> access-control:
> 
> Fiona Ebner (2):
>   add VM.GuestAgent privileges
>   privileges: drop VM.Monitor
> 
>  src/PVE/AccessControl.pm | 7 +++++--
>  src/test/perm-test1.pl   | 8 ++++++--
>  2 files changed, 11 insertions(+), 4 deletions(-)
> 
> 
> qemu-server:
> 
> Fiona Ebner (3):
>   api: agent: use more specific guest agent privileges
>   api: monitor: improve permission handling
>   api: monitor: require Sys.Audit or Sys.Modify privilege
> 
>  src/PVE/API2/Qemu.pm          |  34 ++++--
>  src/PVE/API2/Qemu/Agent.pm    |  66 +++++++++--
>  src/PVE/API2/Qemu/HMPPerms.pm | 207 ++++++++++++++++++++++++++++++++++
>  src/PVE/API2/Qemu/Makefile    |   2 +-
>  4 files changed, 289 insertions(+), 20 deletions(-)
>  create mode 100644 src/PVE/API2/Qemu/HMPPerms.pm
> 
> 
> manager:
> 
> Fiona Ebner (2):
>   pve8to9: remove outdated checks for user roles
>   pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles
> 
>  PVE/CLI/pve8to9.pm | 40 ++++++++++++++++------------------------
>  1 file changed, 16 insertions(+), 24 deletions(-)
> 
> 
> docs:
> 
> Fiona Ebner (2):
>   user management: privileges: document new VM guest agent privileges
>   user management: privileges: remove reference to dropped VM.Monitor
>     privilege
> 
>  pveum.adoc | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> 
> Summary over all repositories:
>   8 files changed, 322 insertions(+), 49 deletions(-)
> 

applied, thanks!