api: create_vm: check serial and usb permissions

The existing check_vm_modify_config_perm doesn't do so anymore, but
the check only got re-added to the modify/delete paths. See commits
165be267ebff3f614cc6b56bbb594ef4d456a4e9 and
e30f75c571a6a678f8f1f3dfb2dee1b622b49185 for context.

In the future, it might make sense to generalise the
check_vm_modify_config_perm and have it not only take keys, but both
new and old values, and use that generalised function everywhere.

Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 5015d82ca8e7240107285b90bfa0734d4bfa0e08..6706b55efb24883b15bd190227f8df8212716f1c 100644 (file)
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -329,6 +329,42 @@ my $cloudinitoptions = {
     sshkeys => 1,
 };
 
+my $check_vm_create_serial_perm = sub {
+    my ($rpcenv, $authuser, $vmid, $pool, $param) = @_;
+
+    return 1 if $authuser eq 'root@pam';
+
+    foreach my $opt (keys %{$param}) {
+       next if $opt !~ m/^serial\d+$/;
+
+       if ($param->{$opt} eq 'socket') {
+           $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
+       } else {
+           die "only root can set '$opt' config for real devices\n";
+       }
+    }
+
+    return 1;
+};
+
+my $check_vm_create_usb_perm = sub {
+    my ($rpcenv, $authuser, $vmid, $pool, $param) = @_;
+
+    return 1 if $authuser eq 'root@pam';
+
+    foreach my $opt (keys %{$param}) {
+       next if $opt !~ m/^usb\d+$/;
+
+       if ($param->{$opt} =~ m/spice/) {
+           $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
+       } else {
+           die "only root can set '$opt' config for real devices\n";
+       }
+    }
+
+    return 1;
+};
+
 my $check_vm_modify_config_perm = sub {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 
@@ -567,6 +603,9 @@ __PACKAGE__->register_method({
 
            &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [ keys %$param]);
 
+           &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $param);
+           &$check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param);
+
            &$check_cpu_model_access($rpcenv, $authuser, $param);
 
            foreach my $opt (keys %$param) {