proxmox-mirrors/qemu-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/qemu-server synced 2025-05-03 08:48:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

restore: extend permissions checks

Browse Source 
to allow early checking of the merged config, if the backup archive
passed in is a proper volume where extraction is possible.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2023-06-20 09:41:49 +02:00 committed by Thomas Lamprecht
parent c36214d2a6
commit 621edb2b65
2 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
PVE/API2/Qemu.pm
View File

@ -958,6 +958,19 @@ __PACKAGE__->register_method({
live => $live_restore, live => $live_restore,
override_conf => $param, override_conf => $param,
}; };
if (my $volid = $archive->{volid}) {
# best effort, real check is after restoring!
my $merged = eval {
my $old_conf = PVE::Storage::extract_vzdump_config($storecfg, $volid);
PVE::QemuServer::restore_merge_config("backup/qemu-server/$vmid.conf", $old_conf, $param);
};
if ($@) {
warn "Could not extract backed up config: $@\n";
warn "Skipping early checks!\n";
} else {
PVE::QemuServer::check_restore_permissions($rpcenv, $authuser, $merged);
}
}
if ($archive->{type} eq 'file' || $archive->{type} eq 'pipe') { if ($archive->{type} eq 'file' || $archive->{type} eq 'pipe') {
die "live-restore is only compatible with backup images from a Proxmox Backup Server\n" die "live-restore is only compatible with backup images from a Proxmox Backup Server\n"
if $live_restore; if $live_restore;

11
PVE/QemuServer.pm
View File

@ -6542,10 +6542,9 @@ sub check_mapping_access {
} }
}; };
# FIXME: improve checks on restore by checking before actually extracing and
# merging the new config
sub check_restore_permissions { sub check_restore_permissions {
my ($rpcenv, $user, $conf) = @_; my ($rpcenv, $user, $conf) = @_;
check_bridge_access($rpcenv, $user, $conf); check_bridge_access($rpcenv, $user, $conf);
check_mapping_access($rpcenv, $user, $conf); check_mapping_access($rpcenv, $user, $conf);
} }
@ -6865,7 +6864,7 @@ my $restore_destroy_volumes = sub {
} }
}; };
my $restore_merge_config = sub { sub restore_merge_config {
my ($filename, $backup_conf_raw, $override_conf) = @_; my ($filename, $backup_conf_raw, $override_conf) = @_;
my $backup_conf = parse_vm_config($filename, $backup_conf_raw); my $backup_conf = parse_vm_config($filename, $backup_conf_raw);
@ -6874,7 +6873,7 @@ my $restore_merge_config = sub {
} }
return $backup_conf; return $backup_conf;
}; }
sub scan_volids { sub scan_volids {
my ($cfg, $vmid) = @_; my ($cfg, $vmid) = @_;
@ -7192,7 +7191,7 @@ sub restore_proxmox_backup_archive {
$new_conf_raw .= "\nlock: create"; $new_conf_raw .= "\nlock: create";
} }
my $new_conf = $restore_merge_config->($conffile, $new_conf_raw, $options->{override_conf}); my $new_conf = restore_merge_config($conffile, $new_conf_raw, $options->{override_conf});
check_restore_permissions($rpcenv, $user, $new_conf); check_restore_permissions($rpcenv, $user, $new_conf);
PVE::QemuConfig->write_config($vmid, $new_conf); PVE::QemuConfig->write_config($vmid, $new_conf);
@ -7506,7 +7505,7 @@ sub restore_vma_archive {
die $err; die $err;
} }
my $new_conf = $restore_merge_config->($conffile, $new_conf_raw, $opts->{override_conf}); my $new_conf = restore_merge_config($conffile, $new_conf_raw, $opts->{override_conf});
check_restore_permissions($rpcenv, $user, $new_conf); check_restore_permissions($rpcenv, $user, $new_conf);
PVE::QemuConfig->write_config($vmid, $new_conf); PVE::QemuConfig->write_config($vmid, $new_conf);