From f5a88e98703cfb5bd6a34bd6579a3b18ca30444c Mon Sep 17 00:00:00 2001
From: Leo Nunner <l.nunner@proxmox.com>
Date: Wed, 16 Nov 2022 18:34:29 +0100
Subject: [PATCH] fix #4321: properly check cloud-init drive permissions

The process for editing Cloud-init drives checked for inconsistent
permissions: for adding, the VM.Config.Disk permission was needed, while
the VM.Config.CDROM permission was needed to remove a drive. The regex
in drive_is_cloudinit needed to be adapted since the drive names have
different formats before/after they are actually generated.

Due to the regex letting names fall through before, Cloud-init drives
were being checked as disks, even though they are actually treated as
CDROM drives. Due to this, it makes more sense to check for
VM.Config.CDROM instead, while also requiring VM.Config.Cloudinit, since
generating a Cloud-init drive already generates default values that are
passed to the VM.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
 PVE/API2/Qemu.pm        | 6 ++++--
 PVE/QemuServer/Drive.pm | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index edb495bc..54265123 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1627,11 +1627,13 @@ my $update_vm_api  = sub {
 	    my $check_drive_perms = sub {
 		my ($opt, $val) = @_;
 		my $drive = PVE::QemuServer::parse_drive($opt, $val, 1);
-		# FIXME: cloudinit: CDROM or Disk?
-		if (PVE::QemuServer::drive_is_cdrom($drive)) { # CDROM
+		if (PVE::QemuServer::drive_is_cloudinit($drive)) {
+		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Cloudinit', 'VM.Config.CDROM']);
+		} elsif (PVE::QemuServer::drive_is_cdrom($drive, 1)) { # CDROM
 		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.CDROM']);
 		} else {
 		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
+
 		}
 	    };
 
diff --git a/PVE/QemuServer/Drive.pm b/PVE/QemuServer/Drive.pm
index 1dc6171a..12a1fbe2 100644
--- a/PVE/QemuServer/Drive.pm
+++ b/PVE/QemuServer/Drive.pm
@@ -540,7 +540,7 @@ sub verify_bootdisk {
 
 sub drive_is_cloudinit {
     my ($drive) = @_;
-    return $drive->{file} =~ m@[:/]vm-\d+-cloudinit(?:\.$QEMU_FORMAT_RE)?$@;
+    return $drive->{file} =~ m@[:/](?:vm-\d+-)?cloudinit(?:\.$QEMU_FORMAT_RE)?$@;
 }
 
 sub drive_is_cdrom {