use VM.Config.HWType for 'socket' and root@pam for real serial devices
Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
PVE/API2/Qemu.pm | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index d8c9726..7195ec2 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -302,7 +302,7 @@ my $cloudinitoptions = {
};
my $check_vm_modify_config_perm = sub {
- my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
+ my ($rpcenv, $authuser, $vmid, $pool, $key_list, $values) = @_;
return 1 if $authuser eq 'root@pam';
@@ -330,6 +330,14 @@ my $check_vm_modify_config_perm = sub {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
} elsif ($cloudinitoptions->{$opt} || ($opt =~
m/^(?:net|ipconfig)\d+$/)) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool,
['VM.Config.Network']);
+ } elsif ($opt =~ m/^serial\d+$/) {
+ if ($values && $values->{$opt} eq 'socket') {
+ $rpcenv->check_vm_perm($authuser, $vmid, $pool,
['VM.Config.HWType']);
+ } elsif (!$values) {
+ next; # deletion will be checked later since we do not have the
config here
+ } else {
+ die "only root can set '$opt' config to real devices\n";
+ }
} else {
# catches usb\d+, hostpci\d+, args, lock, etc.
# new options will be checked here
@@ -517,7 +525,7 @@ __PACKAGE__->register_method({
&$check_storage_access($rpcenv, $authuser, $storecfg, $vmid,
$param, $storage);
- &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [
keys %$param]);
+ &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [
keys %$param], $param);
foreach my $opt (keys %$param) {
if (PVE::QemuServer::is_valid_drivename($opt)) {
@@ -1127,7 +1135,7 @@ my $update_vm_api = sub {
&$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [@delete]);
- &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [keys
%$param]);
+ &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [keys
%$param], $param);
&$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);
@@ -1190,6 +1198,14 @@ my $update_vm_api = sub {
if defined($conf->{pending}->{$opt});
PVE::QemuServer::vmconfig_delete_pending_option($conf,
$opt, $force);
PVE::QemuConfig->write_config($vmid, $conf);
+ } elsif ($opt =~ m/^serial\d$/) {
+ if ($conf->{$opt} eq 'socket') {
+ $rpcenv->check_vm_perm($authuser, $vmid, undef,
['VM.Config.HWType']);
+ } elsif ($authuser ne 'root@pam') {
+ die "only root can delete '$opt' config for real
devices\n";
+ }
+ PVE::QemuServer::vmconfig_delete_pending_option($conf,
$opt, $force);
+ PVE::QemuConfig->write_config($vmid, $conf);
} else {
PVE::QemuServer::vmconfig_delete_pending_option($conf,
$opt, $force);
PVE::QemuConfig->write_config($vmid, $conf);
--
2.11.0
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
