[pve-devel] applied-series: [PATCH-SERIES access-control/qemu-server/manager/docs] replace ambiguously named VM.Monitor privilege
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Jul 17 23:26:29 CEST 2025
Am 17.07.25 um 15:36 schrieb Fiona Ebner:
> The privilege VM.Monitor has a very ambiguous name and is dropped.
> Most of the API endpoints using it are for the QEMU guest agent
> commands, the only other place is access to the QEMU HMP monitor.
>
> 1. Introduce dedicated, more fine-grained privileges for the guest
> agent commands:
>
> There is a basic VM.GuestAgent.Audit privilege for read-only,
> informational commands.
>
> There are dedicated privileges VM.GuestAgent.File{Read,Write} for the
> file-{read,write} commands. There is a separate
> VM.GuestAgent.FileSystemMgmt privilege for filesystem freeze, thaw and
> trim.
>
> The VM.GuestAgent.Unrestricted privilege is to allow all guest agent
> operations, in particular also execution of arbitrary commands with
> guest-exec.
>
> 2. For access to the QEMU HMP monitor, only the 'info' and 'help'
> commands were usable without an additional Sys.Modify privilege. Since
> the information accessible via 'info' is very low-level and often
> related to the QEMU process on the system, requiring Sys.Audit seems
> natural.
>
> These are breaking changes. A check in pve8to9 is provided.
>
>
> qemu-server patch "api: monitor: improve permission handling" and
> manager patch "pve8to9: remove outdated checks for user roles" can
> be applied independently from the rest of the series.
>
>
> New qemu-server depends on new access-control, new access-control
> breaks old qemu-server.
I did not record the breaks for now, no big reason and we can still
do a re-bump of access-control if you prefer doing so, it *would* be
slightly cleaner.
> access-control:
>
> Fiona Ebner (2):
> add VM.GuestAgent privileges
> privileges: drop VM.Monitor
>
> src/PVE/AccessControl.pm | 7 +++++--
> src/test/perm-test1.pl | 8 ++++++--
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
>
> qemu-server:
>
> Fiona Ebner (3):
> api: agent: use more specific guest agent privileges
> api: monitor: improve permission handling
> api: monitor: require Sys.Audit or Sys.Modify privilege
>
> src/PVE/API2/Qemu.pm | 34 ++++--
> src/PVE/API2/Qemu/Agent.pm | 66 +++++++++--
> src/PVE/API2/Qemu/HMPPerms.pm | 207 ++++++++++++++++++++++++++++++++++
> src/PVE/API2/Qemu/Makefile | 2 +-
> 4 files changed, 289 insertions(+), 20 deletions(-)
> create mode 100644 src/PVE/API2/Qemu/HMPPerms.pm
>
>
> manager:
>
> Fiona Ebner (2):
> pve8to9: remove outdated checks for user roles
> pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles
>
> PVE/CLI/pve8to9.pm | 40 ++++++++++++++++------------------------
> 1 file changed, 16 insertions(+), 24 deletions(-)
>
>
> docs:
>
> Fiona Ebner (2):
> user management: privileges: document new VM guest agent privileges
> user management: privileges: remove reference to dropped VM.Monitor
> privilege
>
> pveum.adoc | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>
> Summary over all repositories:
> 8 files changed, 322 insertions(+), 49 deletions(-)
>
applied, thanks!
More information about the pve-devel
mailing list