Am 03.08.21 um 14:29 schrieb Dominik Csapak:
we'll need that for checking the features more granularlySigned-off-by: Dominik Csapak <d.csa...@proxmox.com> --- src/PVE/API2/LXC.pm | 6 ++++-- src/PVE/API2/LXC/Config.pm | 9 ++++++--- src/PVE/LXC.pm | 2 +- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm index b929481..e16ce6c 100644 --- a/src/PVE/API2/LXC.pm +++ b/src/PVE/API2/LXC.pm @@ -254,7 +254,7 @@ __PACKAGE__->register_method({ my $ostemplate = extract_param($param, 'ostemplate'); my $storage = extract_param($param, 'storage') // 'local';- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, $param, []);+ PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, undef, $param, [], $unprivileged);my $storage_cfg = cfs_read_file("storage.cfg"); @@ -1679,7 +1679,9 @@ __PACKAGE__->register_method({ die "no options specified\n" if !scalar(keys %$param); - PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);+ my $conf = PVE::LXC::Config->load_config($vmid); + + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $conf->{unprivileged});my $storage_cfg = cfs_read_file("storage.cfg"); diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pmindex 73fec36..ab136c0 100644 --- a/src/PVE/API2/LXC/Config.pm +++ b/src/PVE/API2/LXC/Config.pm @@ -135,6 +135,9 @@ __PACKAGE__->register_method({ my $node = extract_param($param, 'node'); my $vmid = extract_param($param, 'vmid');+ my $conf = PVE::LXC::Config->load_config($vmid);+ my $unprivileged = $conf->{unprivileged}; + my $digest = extract_param($param, 'digest');die "no options specified\n" if !scalar(keys %$param);@@ -144,8 +147,8 @@ __PACKAGE__->register_method({ my $revert_str = extract_param($param, 'revert'); my @revert = PVE::Tools::split_list($revert_str);- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@delete]);- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, {}, [@revert]); + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@delete], $unprivileged); + PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, {}, [@revert], $unprivileged);foreach my $opt (@revert) {raise_param_exc({ revert => "unknown option '$opt'" }) @@ -166,7 +169,7 @@ __PACKAGE__->register_method({ if grep(/^$opt$/, @revert); }- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);+ PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $unprivileged);
When restoring, $param can be {} here.
This means together with the other patches, it's possible as non-root to:
1. Enable nesting on an unprivileged container
2. Backup
3. Restore as privileged, and nesting is still set
my $storage_cfg = PVE::Storage::config(); diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pmindex 139f901..32a2127 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -1242,7 +1242,7 @@ sub template_create { }sub check_ct_modify_config_perm {- my ($rpcenv, $authuser, $vmid, $pool, $newconf, $delete) = @_; + my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $unprivileged) = @_;return 1 if $authuser eq 'root@pam';my $storage_cfg = PVE::Storage::config();
_______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
