Firewall/IPSet: implement permission

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 27cf1e6e4b84dc4b05ddbd594295801c347574dc..727204a733afd20fe7780456495ecbfd0f388a60 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1211,6 +1211,46 @@ sub copy_rule_data {
     return $rule;
 }
 
+sub rules_modify_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+       return {
+           check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+       };
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+       return {
+           check => ['perm', '/', [ 'Sys.Modify' ]],
+       };
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+       return {
+           check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+       }
+    }
+
+    return undef;
+}
+
+sub rules_audit_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+       return {
+           check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+       };
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+       return {
+           check => ['perm', '/', [ 'Sys.Audit' ]],
+       };
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+       return {
+           check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+       }
+    }
+
+    return undef;
+}
+
 # core functions
 my $bridge_firewall_enabled = 0;