[pve-devel] [PATCH v2 pve-manager 3/3] api2: network: check permissions for local bridges

Sun, 04 Jun 2023 16:37:53 -0700 

always check permissions, also when not filtered

Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
---
 PVE/API2/Network.pm | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index b3faba1a..55a37c44 100644
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -240,23 +240,17 @@ __PACKAGE__->register_method({
 
        if (my $tfilter = $param->{type}) {
            my $vnets;
-           my $vnet_cfg;
-           my $can_access_vnet = sub { # only matters for the $have_sdn case, 
checked implict
-               return 1 if $authuser eq 'root@pam' || !defined($vnets);
-               return 1 if 
!defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $_[0], 1)); # 
not a vnet
-               $rpcenv->check_any($authuser, "/sdn/vnets/$_[0]", ['SDN.Audit', 
'SDN.Allocate'], 1)
-           };
 
            if ($have_sdn && $param->{type} eq 'any_bridge') {
                $vnets = PVE::Network::SDN::get_local_vnets(); # returns 
already access-filtered
-               $vnet_cfg = PVE::Network::SDN::Vnets::config();
            }
 
            for my $k (sort keys $ifaces->%*) {
                my $type = $ifaces->{$k}->{type};
-               my $match = $tfilter eq $type || ($tfilter =~ 
/^any(_local)?_bridge$/ && ($type eq 'bridge' || $type eq 'OVSBridge'));
-
-               delete $ifaces->{$k} if !($match && $can_access_vnet->($k));
+               my $match = ($param->{type} eq $type) || (
+                   ($param->{type} =~ /^any(_local)?_bridge$/) &&
+                   ($type eq 'bridge' || $type eq 'OVSBridge'));
+               delete $ifaces->{$k} if !$match;
            }
 
            if (defined($vnets)) {
@@ -264,6 +258,17 @@ __PACKAGE__->register_method({
            }
        }
 
+       #always check bridge access
+       my $can_access_vnet = sub {
+           return 1 if $authuser eq 'root@pam';
+           return 1 if $rpcenv->check_any($authuser, 
"/sdn/zones/localnetwork", ['SDN.Audit', 'SDN.Allocate'], 1);
+           return 1 if $rpcenv->check_sdn_bridge($authuser, 
"/sdn/vnets/$_[0]", ['SDN.Audit', 'SDN.Allocate'], 1);
+       };
+       for my $k (sort keys $ifaces->%*) {
+           my $type = $ifaces->{$k}->{type};
+           delete $ifaces->{$k} if ($type eq 'bridge' || $type eq 'OVSBridge') 
&& !$can_access_vnet->($k);
+       }
+
        return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
    }});
 
-- 
2.30.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to