Am 04.08.21 um 10:47 schrieb Fabian Ebner:
Am 03.08.21 um 14:29 schrieb Dominik Csapak:
we'll need that for checking the features more granularly
Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
src/PVE/API2/LXC.pm | 6 ++++--
src/PVE/API2/LXC/Config.pm | 9 ++++++---
src/PVE/LXC.pm | 2 +-
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index b929481..e16ce6c 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -254,7 +254,7 @@ __PACKAGE__->register_method({
my $ostemplate = extract_param($param, 'ostemplate');
my $storage = extract_param($param, 'storage') // 'local';
- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
$pool, $param, []);
+ PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
$pool, undef, $param, [], $unprivileged);
Sorry, I meant here ;)
my $storage_cfg = cfs_read_file("storage.cfg");
@@ -1679,7 +1679,9 @@ __PACKAGE__->register_method({
die "no options specified\n" if !scalar(keys %$param);
- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, $param, []);
+ my $conf = PVE::LXC::Config->load_config($vmid);
+
+ PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, $conf, $param, [], $conf->{unprivileged});
my $storage_cfg = cfs_read_file("storage.cfg");
diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
index 73fec36..ab136c0 100644
--- a/src/PVE/API2/LXC/Config.pm
+++ b/src/PVE/API2/LXC/Config.pm
@@ -135,6 +135,9 @@ __PACKAGE__->register_method({
my $node = extract_param($param, 'node');
my $vmid = extract_param($param, 'vmid');
+ my $conf = PVE::LXC::Config->load_config($vmid);
+ my $unprivileged = $conf->{unprivileged};
+
my $digest = extract_param($param, 'digest');
die "no options specified\n" if !scalar(keys %$param);
@@ -144,8 +147,8 @@ __PACKAGE__->register_method({
my $revert_str = extract_param($param, 'revert');
my @revert = PVE::Tools::split_list($revert_str);
- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, {}, [@delete]);
- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, {}, [@revert]);
+ PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, $conf, {}, [@delete], $unprivileged);
+ PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, $conf, {}, [@revert], $unprivileged);
foreach my $opt (@revert) {
raise_param_exc({ revert => "unknown option '$opt'" })
@@ -166,7 +169,7 @@ __PACKAGE__->register_method({
if grep(/^$opt$/, @revert);
}
- PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, $param, []);
+ PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid,
undef, $conf, $param, [], $unprivileged);
When restoring, $param can be {} here.
This means together with the other patches, it's possible as non-root to:
1. Enable nesting on an unprivileged container
2. Backup
3. Restore as privileged, and nesting is still set
my $storage_cfg = PVE::Storage::config();
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 139f901..32a2127 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1242,7 +1242,7 @@ sub template_create {
}
sub check_ct_modify_config_perm {
- my ($rpcenv, $authuser, $vmid, $pool, $newconf, $delete) = @_;
+ my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf,
$delete, $unprivileged) = @_;
return 1 if $authuser eq 'root@pam';
my $storage_cfg = PVE::Storage::config();
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
