proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 14:18:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add VM.GuestAgent privileges

Browse Source 
The privilege VM.Monitor has a very ambiguous name and is planned to
be dropped. Most of the API endpoints using it are for the QEMU guest
agent commands. Introduce dedicated, more fine-grained privileges for
those.

There is a basic VM.GuestAgent.Audit privilege for read-only,
informational commands.

There are dedicated privileges VM.GuestAgent.File{Read,Write} for
the file-{read,write} commands. There is a separate
VM.GuestAgent.FileSystemMgmt privilege for filesystem freeze, thaw
and trim.

The VM.GuestAgent.Unrestricted privilege is to allow all guest agent
operations, in particular also execution of arbitrary commands with
guest-exec.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Link: https://lore.proxmox.com/20250717133711.84715-2-f.ebner@proxmox.com
This commit is contained in:
Fiona Ebner 2025-07-17 15:36:49 +02:00 committed by Thomas Lamprecht
parent d09d3fe022
commit 922f710574
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/PVE/AccessControl.pm
View File

@ -1059,6 +1059,7 @@ my $privgroups = {
'VM.Config.Options', # covers all other things 'VM.Config.Options', # covers all other things
'VM.Allocate', 'VM.Allocate',
'VM.Clone', 'VM.Clone',
'VM.GuestAgent.Unrestricted',
'VM.Migrate', 'VM.Migrate',
'VM.Monitor', 'VM.Monitor',
'VM.Snapshot', 'VM.Snapshot',
@ -1069,10 +1070,13 @@ my $privgroups = {
'VM.Config.Cloudinit', 'VM.Config.Cloudinit',
'VM.Console', 'VM.Console',
'VM.Backup', 'VM.Backup',
'VM.GuestAgent.FileRead',
'VM.GuestAgent.FileSystemMgmt',
'VM.GuestAgent.FileWrite',
'VM.PowerMgmt', 'VM.PowerMgmt',
], ],
audit => [ audit => [
'VM.Audit', 'VM.Audit', 'VM.GuestAgent.Audit',
], ],
}, },
Sys => { Sys => {

8
src/test/perm-test1.pl
View File

@ -65,7 +65,9 @@ check_permission(
'' # sorted, comma-separated expected privilege string '' # sorted, comma-separated expected privilege string
. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,' . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,' . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
. 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback', . 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,'
. 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.Monitor,VM.PowerMgmt,'
. 'VM.Snapshot,VM.Snapshot.Rollback',
); );
# Administrator -> Permissions.Modify! # Administrator -> Permissions.Modify!
check_permission( check_permission(
@ -83,7 +85,9 @@ check_permission(
. 'User.Modify,' . 'User.Modify,'
. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,' . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,' . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
. 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback', . 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,'
. 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.Monitor,VM.PowerMgmt,'
. 'VM.Snapshot,VM.Snapshot.Rollback',
); );
check_roles('max@pve', '/vms/200', 'storage_manager'); check_roles('max@pve', '/vms/200', 'storage_manager');