Re: [pve-devel] [PATCH pve-manager 3/4] api2: network: check permissions for local bridges

Fri, 02 Jun 2023 04:40:28 -0700 

On May 26, 2023 9:27 am, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
> ---
>  PVE/API2/Network.pm | 12 +++++-------
>  1 file changed, 5 insertions(+), 7 deletions(-)
> 
> diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
> index b3faba1a..ba3b3e0e 100644
> --- a/PVE/API2/Network.pm
> +++ b/PVE/API2/Network.pm
> @@ -240,22 +240,20 @@ __PACKAGE__->register_method({
>  
>       if (my $tfilter = $param->{type}) {
>           my $vnets;
> -         my $vnet_cfg;
> -         my $can_access_vnet = sub { # only matters for the $have_sdn case, 
> checked implict
> -             return 1 if $authuser eq 'root@pam' || !defined($vnets);
> -             return 1 if 
> !defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $_[0], 1)); # 
> not a vnet
> -             $rpcenv->check_any($authuser, "/sdn/vnets/$_[0]", ['SDN.Audit', 
> 'SDN.Allocate'], 1)
> +         #check access for local bridges
> +         my $can_access_vnet = sub {
> +             return 1 if $authuser eq 'root@pam';
> +             return 1 if $rpcenv->check_any($authuser, "/sdn/zones/local", 
> ['SDN.Audit', 'SDN.Allocate'], 1);
> +             return 1 if $rpcenv->check_any($authuser, "/sdn/vnets/$_[0]", 
> ['SDN.Audit', 'SDN.Allocate'], 1);

here the same question arises - is there anything guarding against name
collisions between SDN vnets and local bridges that pretend to be vnets?
;)

>           };
>  
>           if ($have_sdn && $param->{type} eq 'any_bridge') {
>               $vnets = PVE::Network::SDN::get_local_vnets(); # returns 
> already access-filtered
> -             $vnet_cfg = PVE::Network::SDN::Vnets::config();
>           }
>  
>           for my $k (sort keys $ifaces->%*) {
>               my $type = $ifaces->{$k}->{type};
>               my $match = $tfilter eq $type || ($tfilter =~ 
> /^any(_local)?_bridge$/ && ($type eq 'bridge' || $type eq 'OVSBridge'));
> -
>               delete $ifaces->{$k} if !($match && $can_access_vnet->($k));
>           }
>  
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to